Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

National Cybersecurity Awareness Only Gets a Month?

In case you were not aware, October is National Cyber Security Awareness Month, an initiative designed to “engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity.” 

In case you were not aware, October is National Cyber Security Awareness Month, an initiative designed to “engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity.” 

In a perfect world, we would not stress this awareness for one month only. Awareness should be a constant, ongoing effort. However, since the DHS is making this a point of emphasis, why don’t we use this opportunity to focus on an a Security Awareness Program.

I know. The standard response to “Awareness” is blah blah train employees blah blah security policy.

After 29 years of saying it, even I am tired. I have written about Security Awareness here before. But, that doesn’t mean we’re done with it. I once asked a client about their Security Awareness program and their response was to tell me where the Security Policy was on their Intranet. This was akin to asking him what his favorite color was and him responding, “42”. Yet, I am pretty sure he didn’t get the disconnect. You might be able to guess the content of one of the recommendations in his assessment report.

By now, we should all see the value of an awareness program. I have talked for years about the concepts of hard security versus soft security. Hard security includes firewalls, IPS, IDS, vulnerabilities – all of the technical controls that you use to manage risk in your environment. Soft security is essentially the way we create a firewall analogue for a person – the way we help a person manage risk. We are not going to solve every security-relevant problem in your environment with awareness training.

Information security awareness training is simply one more tool to ensure that people are correctly managing risk. We make them smarter about security, and maybe a little more paranoid. Security Awareness Training should include your security policy, but to be effective it should not be just about the policy. We now need to include extra things in our awareness program. If you have compliance requirements, you should be including those in your awareness program. HITECH requires that you teach employees proper handling procedures for PHI (Protected Health Information). On top of that, we need to teach people what “Security” means to the organization. What things does your organization need people to pay attention to?

For a reference point, I asked my college-aged daughters what they thought was important about information security awareness. Their first answer was “huh?” I did not explain much other than to mention that October was Cybersecurity Awareness Month and asked them what they would say if they were interviewing for an article on security awareness (sneaky, eh?). I think I ended up with three very good answers:

Advertisement. Scroll to continue reading.

1. “Those stupid banking emails.”

2. “Hackers.”

3. “Passwords.”

Those Stupid Banking Emails

They didn’t actually mean “banking emails”; they meant phishing emails that look like banking emails. The ones that look like they are from your bank but are actually from a .lt site trying to get you to click on their link to login and “fix” some kind of error in your account. These actually link to blackhole, try to steal your username and password, or attempt something else nefarious.

I felt pretty proud that my daughter stopped one of her friends who was entering her checking account and routing number into an online web-form to claim the “winnings” of which she was notified in a phishing email. After my daughter mocked her like a Frenchman in Monty Python and the Holy Grail, she showed her friend how to hover over the link and see that it actually went to a .cn domain, and NOT to her US-based bank (when her friend retold the story I was so proud it brought a tear to my eye).

Identifying and stopping phishing emails continues to be a big challenge. I recently heard of a company where the employee list was exposed, and literally every employee received multiple versions of phishing emails. If the company received 30,000 phishing emails, how many do you think got opened and followed, resulting in the exposure to some form of nastiness? If only 1% of incoming phishing email was opened it was 300 emails. How would you feel if you had 300 compromised computers in your network?

Your awareness program should include tutorials on how to identify phishing emails, and what to do with them when you receive them. I wrote an earlier article on identifying phishing emails that you can read here.

I have actually gotten to the point that when I see an email from any bank I assume it is a phishing email until proven differently. I suspect it is only a matter of time that I will expect every email to be suspicious.


Besides the phishing emails, one of my daughters said “Hackers”. She had a hard time putting that into words other than starting with the same people who send phishing emails. She explained that she thinks that hackers attack companies, and go after people as a way to get to companies. Almost as an afterthought she said that they might go after her bank information. (But, she is a college student with no money and no credit card, so…) She eventually added five controls that she thought were important to help protect her from “hackers”.

1. “Update your security software.” By this she meant her anti-virus, anti-malware software. I smiled a little inside when it never occurred to her that you might not have “security software.” In context of your awareness program, this is probably only a matter or leaving it alone.

2. “Windows Update.” ‘nuff said.

3. “Backups.” I was surprised at this until she explained, “Nothing sucks more than finishing a 30 page term-paper then having your computer crash without a backup.” I think her analysis was pretty appropriate. The voice of experience. (And, no, the Professor did not give her time to redo the assignment.) How your awareness program addresses this highly depends on how your organization supports backups. In the past I worked for an organization with no remote backup capabilities. If you wanted a backup it was completely your responsibility to copy your work onto the servers, which were backed up. But, if you do something that requires ANY action from employees, it better be in your awareness program.

4. “Don’t do stupid stuff.” I asked her about this, and while she was a little vague, her general response seemed to indicate that she felt you should not browse porn. The “porn” part is easy, but I really have no suggestions for how you teach people specifically to not do stupid stuff, but that is kind of the whole point of a security awareness program – to help make sure people don’t do “stupid stuff”.

5. “Hope the hackers find someone else.” I am not sure I have a high amount of agreement with a security control that starts with the word “Hope”. I think this includes a measure of “there are no Atheists in foxholes”. Maybe with the morale of this story thrown in:

As two guys are fishing, a giant grizzly bear roars and charges out of the woods. The two guys turn and run, with one of them struggling to put on his tennis shoes as he does so. The second guy says “Bill, you are not going to be faster than that bear.” As he hops along Bill replies, “I don’t have to be faster than the bear, just faster than you.”


Their issue with passwords was mostly to use passwords, and not use stupid ones (that “stupid” word came up a lot). So, no “password”, no “qwertyui”, no “abcd1234”. My one daughter actually had lots of “bad” password rules, and even mentioned a friend whose Facebook password was “facebook”. Additionally, don’t re-use the same password on other sites (well, in fairness, my one daughter said “too many other sites”). Don’t use your school or work password at home and visa versa. Beyond that, if we think about what your awareness program should say, standard password rules apply – construct good, strong, easy to remember passwords. But, again, whatever you use for passwords should be covered pretty explicitly in your awareness program.

That is an expansion on the view of two college students after I have practically beat “security” and “privacy” into their heads for years. So, take two (mostly) normal kids, who, of course, always listen to everything their parents say. I mean, we all know every teenager thinks that their parents are full of sage advice (well, full of something…).

The point here is that if I can train my two (non-technical) daughters to be able to walk the Cybersecurity walk, then training adult professionals should not be difficult.

Related: Security Awareness Training: It’s The Psychology, Stupid!

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...