Looking beyond Cybersecurity Awareness Month

The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—​the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit. The inaugural Cybersecurity Awareness Month was held in 2004, marking 2022 as its 19th year. Not to be left behind, the European Union and Australia, following the precedent set by the United States, created their own month-long cyber-celebrations, also held in October.

In President Biden’s words, the goal of Cybersecurity Awareness Month is to: "highlight the importance of safeguarding […​] critical infrastructure from malicious cyber activity and protecting citizens and businesses from ransomware and other attacks. We also raise awareness about the simple steps [people] can take to secure their sensitive data and stay safe online."

It’s impressive (and imperative) that we in the information security profession have managed to carve out this space in the public discourse. We should be thrilled that we get a whole month of the year when Privacy only gets a week. Although some debate the merits of having a month dedicated to information security issues, Cybersecurity Awareness Month grows ever stronger.

Malicious actors don’t restrict their malicious actions to the month of October. In fact, the months following October mark the high point of cyber attacks. With the holiday season approaching, phishing attacks increase as people purchase presents for their loved ones. Decreased staffing levels around this time also weaken cyber attack responses.

In the first week of November alone, there have already been over 400 new CVEs created. One of which, released on November 1st (that’s right, a day after Cybersecurity Awareness Month), was a vulnerability found in OpenSSL with a severity rating of critical—​the highest possible level of security vulnerability.

The number of cyber attacks each year is only ever increasing as hackers innovate their methods. In IBM’s yearly report on the cost of a data breach, they found that the average global cost of a data breach in 2022 is $4.35 million, while the average cost to companies based in the United States is over double that at $9.44 million. By 2025, the total cost of cyber attacks around the world is expected to reach $10.5 trillion. Attacks are not isolated to large corporations, of course. Small businesses are three times more likely to fall victim to spearphishing attacks, while the oft-talked-about Yahoo breach affected 3 billion individual user accounts.

This Cybersecurity Awareness Month, four important and, arguably, timeless themes were outlined as priorities:

We would like to add our own suggestions to the list:

Our suggestions will help you to proactively hunt for threats - act before, not after.

Take these key themes forward throughout the year. And remind your customers, colleagues, friends, family, investors, and executives that, while Cybersecurity Awareness Month is over, the battle for information security superiority—​the battle of our time—​rages on.