Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Maybe We Should Strive for Cyber Security Unawareness

While October is National Cyber Security Awareness Month (NCSAM) in the U.S., security awareness is a quaint idea when the news is regularly full of security breaches.

While October is National Cyber Security Awareness Month (NCSAM) in the U.S., security awareness is a quaint idea when the news is regularly full of security breaches.

NCSAM is an annual campaign, sponsored by the Department of Homeland Security and the National Cyber Security Alliance since 2004, to “raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.” 

Their primary approach for raising awareness is a social media campaign designed to share the “Stop.Think.Connect. Toolkit,” which is a useful collection of security best practices that can be tailored to different users such as students, government, small business or young professionals. Last year’s campaign results are noted in the following infographic (Image Credit: DHS):

Cybersecurity Stats

It’s an impressive set of numbers and it’s a worthwhile effort if you agree that people are the weakest link in security.

Yet, when the mainstream media is covering breaches, and the breach reach has expanded to ensnare all types of industry and almost every adult in the US, awareness of cyber security threats doesn’t really seem to be the issue. Raising awareness of the implications and steps to prevent breaches is helpful, but only to the point that people actually take action to reduce the risk for themselves, their families and their organizations.

Growing numb to attacks

There is risk involved with too much awareness. Like the proverbial boy who cried wolf, every warning that brings no consequence serves to numb the average person to the risks of cyber attacks. Following the Equifax breach, only about a quarter of the U.S. adult population checked their credit score or credit report in the first two weeks. Less than 1% of consumers have put a credit freeze in place. For all the visibility this attack has brought, it’s produced a collective yawn from consumers.

That consumer callousness can translate into employee ennui. Employees are consumers in a different context, prone to ignore security best practices as well. Expediency is rarely sacrificed for security. For all the encouragement to not reuse passwords and make them impossible to guess, the top 25 most common passwords don’t change all that much. Many don’t think twice about connecting to free public Wi-Fi and transmit sensitive data while traveling. And weaponized email containing malware or phishing scams continue to work well for hackers.

How do we improve awareness?

If awareness isn’t working to change the behavior of employees and consumers, is there anything that can be done? Perhaps it isn’t the general public that really needs the attention. While every person has a role to play in security, if we really want to help improve security postures, we need to focus awareness at the top of organizations. 

Boards need to have the expertise to understand cyber security practices and demand accountability to standards from executives. That should include anticipating and mitigating the likely human failures, including these scenarios:

• Servers and applications will accidentally remain unpatched. But a vulnerable server isn’t worth much to a hacker if the sensitive data stored on it is encrypted.

• People will forget to change the default admin password. But if two factor authentication is in place, then the password alone won’t be sufficient to access a server.

• No matter how much training is provided on spotting a malicious email, users will click a link to something that interests them. But user behavior analytics can identify if a user’s account starts behaving strangely due to compromised credentials.

• Privileged users are generally loyal employees, though it only takes one disgruntled one to become your Edward Snowden. Restrict the amount of access privileged users have, and monitor and record their activities with privileged account management to deter malicious activity.

• Developers don’t intend to use a code library with a known vulnerability. But at the speed of DevOps, security testing must shift left into the continuous delivery pipeline to avoid being forgotten.

Human nature being what it is, even 100 percent awareness of cyber security challenges isn’t going to significantly improve the security postures of our organizations. We have to consider the downside of over-awareness in generating disinterest as well. Maybe it’s time to strive for less awareness on the part of general users and focus more security awareness on the decision makers who can make a bigger difference in improving the security posture of our organizations.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.