Although the industry is in the midst of National Cybersecurity Awareness Month and mindsets are currently very much focused on the issues surrounding information security awareness, there are some people in this industry for whom awareness issues are part of the everyday job.
One is Lauren Zink, security training and awareness program manager at Oportun, which has been developing its security awareness and engagement program for the past year. With the eyes of the industry particularly focused on security awareness this year due to the change in threats and working conditions, and with the world aiming to Be Cyber Safe due to awareness month, Infosecurity asked Zink what her job is like this time of the year.
Do you see Cybersecurity Awareness Month as something that can affect the public’s knowledge?
Absolutely, and in a positive way. If you are only holding internal events for employees at your company, but the information is impactful, it will likely roll over into their personal lives and even become a topic of conversation with their friends and family. If you can, offer some content within your awareness efforts that you label as public and encourage people to share it with people in their circle.
To take it another step forward, offer content that you can post externally on a website or social media that can be impactful and far reaching to the public.
Do you find these days – with cybersecurity surrounding us in the news, TV, movies and society – it is easier for people to understand cybersecurity?
To a certain extent, yes, but sometimes what people hear on a TV show or see in a movie isn’t an accurate representation of the real risks and the reality is those risks change and progress every single day. So even being in the industry it is sometimes hard to keep up with the vast amounts of threats and terminology.
Coming from the position of awareness, cybersecurity topics playing out in different forms of pop culture and mainstream media at least is getting some of the general security terminology out there, and sparking people’s interest in a way it maybe didn’t before. I think just hearing the words in a show, on the news or even on a popular podcast for instance, is a good step in the right direction which in turn can lead to more discussion and independent research on the topics.
What about issues like using strong passwords, enabling 2FA/MFA, running updates and not clicking on suspicious emails, are people aware of why they need to do those things?
Each of these has so many variables depending on the audience. Are people aware that they should have strong passwords? Yes. Are they actually doing this beyond what is required is the real question. It isn’t just strong passwords anymore; it is not reusing passwords, having a unique password for each account, not utilizing certain words or personal topics in passwords and even using a password manager that takes awareness and education beyond just having a strong password.
As for 2FA/MFA, I think more people are aware of what this is, but there is still a long way to go in terms of getting people to actually implement it if it is not required. People still prefer convenience and put that far above security. There needs to be a shift in prioritization and people need to take the privacy and security into their own hands in their personal lives.
Regularly updating personal devices is often a topic that I think people take for granted because at most businesses their employer does this for them, removing their responsibility (which they should). So when the time comes for their personal devices to be updated, they just ignore it or wait until it is required unless the update is enticing with shiny new features.
Suspicious emails is a topic that is covered often as part of not only security awareness programs, but in the mainstream media as well. However, the cyber-criminals are always advancing their ways to make things harder to detect, which is why we as security awareness professionals aren’t trying to beat a dead horse, though it may seem like that. Instead, we look at phishing as the number one attack vector targeting humans both at work and at home and try to educate people on how to protect themselves any time they open an email on any device.
“NCSAM is an amazing effort that helps provide free resources to companies and individuals to help create awareness on a larger scale”
As someone whose role is to raise awareness full time, what do you think of these campaigns that are only run for a short period? Do you think these are effective, or would you prefer to see a more sustained effort?
I do think NCSAM is an amazing effort that helps provide free resources to companies and individuals to help create awareness on a larger scale. However, a company cannot rely just on an annual training that checks the box paired with the monthly event in October.
I personally think that in order to have effectual change in the culture of a company that will in turn make it more safe and secure there needs to be a full time effort dedicated solely to a robust, tailored and multi-faceted security awareness program.
The theme this year is very much focused on IoT and connected devices, have you done much awareness work around these devices?
I have done some in the past. Last year we really focused on that topic, but this year we really had to pivot given current events and how people are working today versus one year ago. I think most people likely changed their plans, approach and topics for NCSAM given the circumstances of the year.
How to work securely from anywhere is a topic we really focused on this year, not only for NCSAM, but once COVID-19 started and people were forced to leave the office. I do think IoT is a huge risk that more and more people are inviting into their homes and lives, and because it makes our lives so much easier to utilize these devices, it is an intriguing awareness topic. It never hurts to cover the basics (passwords, MFA, updates) that also factor in secure IoT.