National Cybersecurity Awareness program 18 years on: Don't click that
Technology is addressing many of the cyberthreats, but the human element will always be a factor
If you've ever found yourself in an interminable meeting listening to the CISO ramble on about the important role you play in protecting yourself and the company from cyberthreats, you could probably point an accusatory finger in large part at the National Cybersecurity Awareness Month (NCSAM) program.
And to be fair, if you've ever found yourself sitting at your desk, staring at an email that didn't seem right – that seemed a little off – and you decided to just close the message and alert the cybersecurity team, you likely could give a nod of thanks to NCSAM.
Every October since 2004, the US Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCA) in public-private cooperation have directed NCSAM in an effort to make organizations and individuals around the world more aware of the myriad cyberthreats out there and how to guard against them. NCA puts this message into its URL (staysafeonline.org).
Over the years, the theme can change – swinging between individual responsibility and organizational response but the core idea behind NCSAM remains: An educated workforce is the best defense.
Curtis Franklin, senior analyst at Omdia, views cybersecurity awareness on a spectrum. On one end is an employee who has little understanding of cybersecurity – "someone who, through ignorance, almost welcomes threat actors into the system" – while on the other side is the well-trained, up to date security professional.
"Realistically, organizations want their employees somewhere between those two," Franklin told The Register. "The purpose of making people aware and training them on cybersecurity is to move them realistically over the spectrum from the [left] to the right."
This month marks the 19th iteration of NCSAM, with the theme being "See Yourself in Cyber" to demonstrate that while cybersecurity is complex, it comes down to individuals, according to CISA. People can take such steps as enabling multifactor authentication, using strong passwords, recognizing and reporting phishing attempts, and keeping software updated.
According to Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint and a NCA board member, two trends that helped to fuel the NCSAM declaration were the creation of the Department of Homeland Security (DHS) – which brought cybersecurity under that aegis of a government agency – and the growing push for public-private collaboration in the space.
"The [NCSAM] nonprofit [NCA] actually already existed," Kalember told The Register. "It was three years old by the time that DHS actually helped create the awareness month, but it was that public-private partnership that was the other impetus alongside DHS owning that and certainly seeing the role that cyberattacks were playing in the lives of everyday people, which you could argue in 2004 was really at the front end of that curve."
There's good reason why individuals are in the crosshairs for this NCSAM. According to Verizon's 2022 Data Breaches Investigation Report, 82 percent of data breaches involved the human element. IBM noted in its 2022 Cost of a Data Breach report that the two most common initial attack vectors were compromised credentials (19 percent of breaches) and phishing (16 percent).
David Richardson, VP of products at security service edge (SSE) provider Lookout, told The Register that his company's number show that between the fourth quarter 2020 and Q4 2021 – during the height of the COVID-19 pandemic – exposure to phishing jumped 127 percent. Given that, CISA's recommendation that people learn to recognize and report phishing is crucial.
"Phishing attacks have continued to evolve in techniques and sophistication, but the basic approach of trying to create a sense of urgency or impersonating a figure of trust or authority has remained pretty constant," Richardson said.
Proofpoint's Kalember said that before 2017, exploiting known vulnerabilities were the chief entry for attacks. However, more recently, the recent Follina zero-day flaw in Windows was the most significant attack to exploit a CVE vulnerability.
"Follina was used in a very, very narrow range of targeted attacks compared to other things that rely on human vulnerability, like malicious macros, which Microsoft took some steps to get around," he said. "There are lots of other still human-powered exploits that absolutely dominate the landscape and that's been true since, in our data, about 2017. … It is human behavior that is what attackers exploit."
So going into its 19th year, how successful has NCSAM been?
"If the definition of success would be that cybersecurity is no longer a problem, then it hasn't succeeded," Franklin said. "But that requires an unrealistic definition. If your definition of success is that more organizations take cybersecurity seriously and more individuals within those organizations take cybersecurity seriously, it has succeeded."
There continues to be a fair amount of money circulating in security training. Analysts at Global Market Estimates expect the cybersecurity awareness training market will grow from more than $1.8 billion this year to $12.1 billion by 2027, driven in part by the spike in cyberattacks since the onset of the pandemic.
Kalember added that they are running programs year-round not only in October, though the annual cadence is a good reminder to executives that new people have been brought over the previous year and the staff probably could use an update. In addition, having a strong program in place can reduce cyber-insurance premiums.
Some businesses are skeptical about security awareness training, according to Rick Holland, CISO and VP of strategy at cybersecurity firm DigitalShadows. It's not a panacea – just another tool in the kit – and it's not going to prevent a targeted attack by a motivated adversary.
But "if the training minimizes the risks around commodity attacks, it frees defenders to focus on more strategic threats," Holland told The Register, "In addition, isn't it worth undertaking if the training helps employees protect themselves in their personal lives?"
It's not always an easy sell to employees, either. A survey of 2,000 employees in the US and UK by email security company Tessian found that 20 percent of respondents said they didn't care about cybersecurity at work and 10 percent they didn't care about it in their personal lives.
99 percent of the 500 IT and security leaders surveyed said a strong security culture is important in maintaining a strong security posture. It looks like awareness training isn't going anywhere.
Security awareness programs constantly need to strike balances, Kalember said. They still need to be technical – to move beyond the message of "think about it before you click on it" – but not so much so that employees lose interest. And they have to address modern threats, such as how easy it is now for cybercriminals to spoof other people or companies like third-party suppliers or cloud providers in the phishing emails they send, making it more difficult for employees to spot the threat.
Such threats reinforce the need for NCSAM and security awareness training programs, he said. There are now more remote workers running of their home WiFi networks and various Internet of Things devices, and ransomware remains highly disruptive. In addition, after all these years, email remains a primary way people communicate and send data back and forth.
Given that, the need for NCSAM won't disappear anytime soon, Kalember said. Still, it would be good if NCSAM messages swung back away from the technical and more to the personal. Much of the enterprise technology used now is more secure by default.
"Hopefully this will go more around things like social engineering, because the other thing that the average person is again unfortunately likely to encounter are the things that we don't talk about enough in cybersecurity because we want to talk about fancy stunt hacks and APTs, like romance scams and all kinds of the regular stuff that makes all this work," he said. "Business email compromise, for example, wouldn't work so well in terms of invoice fraud if they didn't have a bunch of bank accounts belonging to people who are in really unfortunate digital relationships that they can abuse to move that money around."
"That human vulnerability will always be there and, in my mind, that will be why this is relevant long, long into the future." ®