October marks Cybersecurity Awareness Month and this year sees the campaign celebrate its the 20th anniversary.
The campaign’s importance has grown significantly as reliance on digital technologies and the internet for everyday tasks has surged. Now, it is everybody’s responsibility to engage in good cybersecurity behaviors.
The US Cybersecurity and Infrastructure Security Agency (CISA) is at the forefront of the campaign, and has marked its 20th anniversary with the theme of ‘Secure Our World.’
Infosecurity Magazine caught up with two experts from the agency, Sara Pease, Deputy Associate Director for Strategic Relations and Kaitlin Jewell, Associate Director of International Affairs in CISA’s Stakeholder Engagement Division to discuss the evolution of Cybersecurity Awareness Month and the focus of this year’s campaign.
Infosecurity Magazine: How impactful do you believe Cybersecurity Awareness Month has been in its first 20 years? What are its most significant achievements?
Sara Pease: Over the past 20 years, Cybersecurity Awareness Month has really grown, it's a topic that now is part of our common vocabulary. The President each year issues a presidential proclamation deeming October's as Cybersecurity Awareness Month and many, if not all of, the state governors follow suit.
Additionally, every year, the number of partners who are working with CISA and the National Cybersecurity Alliance, with Cybersecurity Awareness Month continues to rise. I think that its popularity, and the fact people are becoming more aware of the importance of adopting better online cyber habits, demonstrates its success.
IM: How has CISA’s activities during the campaign evolved since the agency was founded in 2018?
SP: In the past five years, things have changed a lot and become refined. This year we were really excited to announce the launch of ‘Secure Our World,’ and that is going to be an enduring cybersecurity awareness program.
Cybersecurity is a topic that is important 365 days a year, and under this new theme CISA announced its first public service announcement (PSA), which is 60 seconds long and is also available in 30 and 15 second increments. It highlights the four actions that folks can take to keep themselves, those they care about, their businesses, their employees and their customers more safe and secure online [use strong passwords, turn on MFA, recognize and report phishing and update software].
IM: How do you ensure awareness and messaging in areas such as passwords and phishing resonate effectively with the public?
SP: One of the first things that we wanted to do was make sure that what we developed was based on facts and data.
Therefore, for the first several months of the program, we focused on research to find out where the gaps are, who are we trying to reach and what are the best ways to reach them.
We realized through that research that there were four kind of categories – firstly, older adults, the baby boomers on up, and the adults category, who make up the largest group of people to focus on because they're the ones who may be taking care of children or of older family members or friends. They're also in places of influence in their business or may own their own businesses.
We then look at small and medium sized businesses as they're at higher vulnerability and don't have as many resources as bigger companies. Additionally, there are industries which have particular risks like IT and manufacturing.
We also looked at where we should be focusing and what are the best ways to reach them. All of that was really the baseline for how we developed the program. We also consulted a number of our federal and private sector and association partners to talk with them to find out what would resonate and what wouldn’t.
Now that the program is out in the world, over time we're going to look and see what is working, what isn't, and make adjustments.
IM: How can the cybersecurity industry and professionals play a greater role in promoting the Cybersecurity Awareness Month campaign?
SP: In order for it to be successful, Cybersecurity Awareness Month needs a combination of the public and private sectors working together. As we developed this program, we talked a lot with the private sector and associations to understand what the needs they're seeing and how we can best work together.
Groups working with us, such as hosting webinars, putting collateral on their websites, working to educate their groups internally, is really important. The other thing that we are doing is that CISA are hosting four webinars ourselves. It's every Tuesday in the month of October at 14:00 ET.
Helping to get the word out, promoting, and educating people and making it relatable, because that that's really the key - everybody has a part to play in cybersecurity, this isn't something that just cyber experts can have a hand in.
There's also a lot of collateral toolkits and information that we have available on our website, either cisa.gov/cybersecurityawarenessmonth or cisa.gov/secure our world.
IM: A major focus of this year’s campaign is promoting the use of strong passwords. Do you believe there needs to be more consistent advice around password creation globally? If so, how can this be achieved?
Kaitlin Jewell: At CISA, we are focused on being consistent in our messaging. We're encouraging people to have strong passwords, which translates for us into long, unique and random.
In addition, we're also encouraging people to use a password manager as part of the campaign, as that helps alleviate the burden of having to choose and remember passwords.
More generally, as mentioned we launched the Secure Our World Campaign in the US, which talks about a lot of these issues, and we would very much like to partner with entities internationally because we know cybersecurity and these issues are global, they don't have borders or boundaries. We've already had a few countries reach out to us and are starting to have conversations about what the next steps for partnership will look like.
We know that there's no one-size-fits-all approach to partnering with CISA on Secure Our World. We're just incredibly excited about sharing this effort with our partners and working to see what that that partnership looks like with international entities that are interested in doing this jointly.
IM: What message do you have for people who are reluctant to use password managers following high-profile cyber-incidents impacting password manager providers?
KJ: Password managers are software and they can have vulnerabilities. Despite the incidents that have occurred, it is still safer to use a password manager than to reuse passwords across sites or fall for phishing attacks that have become so pervasive.
One thing I would say to remember on this is that when a scammer tricks someone into visiting an imposter website that looks like the real one, a password manager won't auto fill your password since you're not on the correct website. So even if you are fooled, the password manager is not.
Even when using a password manager, passwords can still be compromised and therefore we recommend everyone enable multifactor authentication as an extra layer of security to their accounts.