I think most people would agree that 2020 has seen several changes to normal. When we first consider this new normal, we remember the bad things – the coronavirus pandemic, face masks, closed businesses, and everyone’s favorite: quarantine. But there have been some good things to come about during this year of change. We have relearned the importance of handwashing, we have been reminded of the importance of respecting other peoples’ personal space, and most seriously, despite the sense of invincibility many feel during their teenage years, we have no guarantee of health and longevity.
This new normal gives us the opportunity to look at other aspects of our life with a new perspective. People are more aware of their personal safety, their health, and their loved ones. But there is a more selfish aspect: this awareness gives us the chance to reevaluate our personal and corporate cybersecurity practices. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is promoting October as National Cybersecurity Awareness Month (NCSAM).
What is NCSAM & How Do We Celebrate It?
NCSAM is a program designed to help address common cybersecurity training and awareness concerns by making resources available to small organizations. It brings structure to a problem which many organizations face – a task that is not the main focus of our teams. This is the 17th year of NCSAM and its attempt to help us all deal with cybersecurity threats. It does this by focusing on a different aspect each week during October:
- October 1 and 2: Official NCSAM Kick-off
- Week of October 5 (Week 1): If You Connect It, Protect It
- Week of October 12 (Week 2): Securing Devices at Home and Work
- Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
- Week of October 26 (Week 4): The Future of Connected Devices
“Great,” you say. “I’ll put it in my calendar right next to National Green Apple Day.” Before you snicker and move on to the next blog, consider how this might help out with your real-world needs.
What is Cybersecurity Awareness & Why is It Important?
Every organization has sensitive data. Each and every one. You don’t have to work for the CIA or a branch of the military to have information that needs to be kept away from someone else. The summer before I started college, I worked at a paper mill. This paper mill made several different types of paper. Papermaking has been around for thousands of years and the process of making paper is well known. In fact, many people have made paper in their own homes as a hobby. It might seem that there is no need for data security in this type of business, but I would disagree.
If every paper company made paper exactly like every other paper company, how could they expect to attract a new customer? If they used the same type of trees and the same chemicals, how would their paper be any better? If they followed the processes of preparation, manufacture, and finish as every other paper maker, and if all their costs were the same, how could they have a product that would be cheaper or more attractive to the consumer than any of the other papermakers? These paper companies are successful only because they found a way of making paper that was different and resulted in a better piece of paper at a better price. That difference was their competitive advantage and advantage is very sensitive data.
Why is Cybersecurity Important?
Other businesses have data that is more obviously sensitive. Hospitals, perfume manufacturers, authors, and software developers all have data that must be secured. What data in your organization makes the difference between being successful and being just one of the others? Yes, I know you have heard this all before, but remember, we are looking at things with a fresh set of eyes in 2020, right?
Besides the proprietary information our organization has developed, we also have personnel records, salary schedules, and bonus plans that must be held securely, even from some of our own eyes. So to protect this data, the reason our business can make money and keep us all employed, we spend money on security tools and systems. We hire a bunch of people that don’t actually do the work the company makes money doing. Instead, they run the tools that we had to buy to keep the data safe. We have to spend money just to keep our secret sauce a secret.
Why Do We Need Cybersecurity Regulatory Requirements?
I am basically an optimist. I only say this so that you understand I firmly believe most people want to do good work. They take pride in doing a good job and not just enough to get by. They want to be able to say with pride, “Look at the good thing I just did.” I like being an optimist.
But I am also a realist. I know that not everyone cares about the quality of their work. They just want the reward that is the paycheck. There are companies with this attitude, and that has led to laws and contracts that specify minimum levels of behavior. We have rules for how we accept credit cards to pay for our products and services. We have other rules for how we manage our finances so that we can engender confidence with the other companies we do business with. There are legal requirements, contractual requirements, and requirements just because we are in a certain business sector.
All of these rules, these requirements, tell us how we have to protect our sensitive data. The rules say we have to have special technologies like firewalls and logging systems, and we have to hire outside vendors just to scan our systems looking for problems. In addition, don’t forget all those technologists we hired to run these non-money-making technologies
Even the Smallest Cog Has a Job to Do
But wait, it gets better. There is a problem with our cybersecurity strategy. We spend all this money on technology to protect our data and the people to run it, and then we read a report from Verizon that says 30% of the breaches Verizon studied were caused by employees – our own people. These incidents were a mix of intentional and unintentional events, but they still resulted in a loss of money and brand confidence, as well as posed cybersecurity threats to the business.
The point is, we want our data secure and we need each of our team members to do their part to keep it secure. We can’t run the business without employees, but we do need to minimize mistakes. Remember, we decided, or at least I did, that most people want to do good work. But they sometimes need help in knowing the best way to do it.
So How Does NCSAM Help Me?
Take heart, not all is bad news. NCSAM’s purpose is to help address the 30% of issues we referred to from the Verizon report. User awareness takes many forms and NCSAM provides resources supporting these methods, including Twitter, Facebook, and LinkedIn posts, graphics for posters and email reminders, security awareness training videos, and much more.
National Cybersecurity Awareness Month may never be more fun than the State Fair, but I think that was canceled this year anyway. NCSAM does help directly with a real problem – how do we help users be aware of their actions and how those actions impact our business’ bottom line. Here is a great NCSAM resource to check out:
Summary
National Cybersecurity Awareness Month isn’t your typical holiday, but it is definitely one worth “celebrating.” You can do this by ensuring your cybersecurity policies are enforced, and your employees are well trained. Here are some additional Linford blogs related to cybersecurity that you may find helpful:
- https://linfordco.com/blog/how-is-your-cyber-hygiene/
- https://linfordco.com/blog/reporting-entitys-cybersecurity-risk-management-program-controls-soc-cybersecurity/
- https://linfordco.com/blog/soc-2-reporting-criteria-cyber-information-security-incidents/
- https://linfordco.com/blog/cybersecurity-remote-staff-working-from-home/
- https://linfordco.com/blog/cmmc-cybersecurity-maturity-model-certification/
- https://linfordco.com/blog/how-to-choose-a-vpn-for-working-from-home/
- https://linfordco.com/blog/how-do-vpn-encryption-protocols-work/
- https://linfordco.com/blog/mobile-device-management-workforce-security/
If you have any additional questions regarding National Cybersecurity Awareness Month or any of the many audit services provided by Linford & CO, please contact us.
Terry L.Dalby is an experienced senior assessor and security engineer who has held principal technical roles for healthcare organizations, several large enterprise and service providers. He has consulted for organizations from virtually every sector performing risk assessments, policy reviews, forensics, and security program development. Dalby has earned multiple security-related certifications including HCISSP, CISSP, CISA, CISM, CRISC, CCSK as well as vendor certifications from Microsoft, Cisco, and Checkpoint. He has a BS in Electronics Technology from Northern Michigan University (Summa Cum Laud).