October is Cybersecurity Awareness Month, and on this last day, let’s talk about cloud security.
What started as a United States government initiative some 23 years ago, continues to this day under the leadership of CISA. The agency, which routinely deals with serious tasks such as guiding critical infrastructure in cyber defense and protecting the US election process, decided to take a more subtle approach and created “Secure Our World program”, which contains simple and fun video and written content on various cybersecurity topics, aimed at educating the general public. As part of an ongoing learning process, the agency selects a limited number of topics each year and focuses on raising awareness of them. This year, the agency’s 4 main recommendations are:
- Use strong passwords
- Activate two-step verification
- Identify and report phishing
- Update software in a timely manner
A Global Phenomenon
Many organizations and governments around the world have adopted this custom and have declared the month of October as cyber awareness month in their countries as well. Beyond the fact that this is joint declaration of intent by various countries about the importance of fighting cyber threat together, there is a practical reason for increasing cyber awareness specifically in the month of October. Traditionally, a significant portion of cyber attacks and online scams take place in the months of November and December (which are the major online shopping months, including Black Friday, Cyber Monday, Christmas and the New Year’s online shopping frenzy). Raising public awareness prior to the “hottest” cyber season can help reduce the associated cyber risks.
Does awareness training achieve its goal?
Since various activities to increase cyber awareness have been carried out for many years, it is already possible to gauge their effectiveness. Various studies that have been conducted have found a positive effect of cyber awareness training on the organization’s degree of preparedness and vulnerability to attacks.
Research by KnowBe4 found that cyber awareness training can significantly reduce susceptibility to phishing, IBM research consistently shows that when organizations with effective training programs are attacked – the cost of the attack is less than those that did not implement programs (ie – the damage caused is reduced). The Ponemon Institute conducted many studies on the effectiveness of cyber awareness training and found a positive relationship between training and reducing the risk of information leakage from the organization.
Even though there is no study that examines the impact of cyber campaigns on the general public, if we rely on studies such as “CYBERSECURITY AWARENESS AND EDUCATION PROGRAMS: A REVIEW OF EMPLOYEE ENGAGEMENT AND ACCOUNTABILITY” it can be concluded that any program to increase awareness helps to reduce risk, both at the individual level and at the level of the organization and the general.
How does cyber awareness programs help protect against cyber threats?
Although there is no one-size-fits-all solution, well-designed and implemented training programs can significantly reduce the risk of cyber-attacks.
- Decrease in the rate of clicks on phishing links: Studies have shown that organizations with effective training programs experience a significant decrease in the number of employees who click on phishing links.
- Increase in reporting of suspicious activities: employees who have been trained in cyber awareness are more likely to report suspicious emails, websites or other activities, which allows organizations to identify and deal with threats more quickly (the report of the cyber system indicates that the number of references to the system has increased greatly in the years the last ones, which indicates an increase in the awareness of cyber victims that there is a need and someone to report).
- Improving security practices: Training can help employees develop good security habits, such as using strong passwords, avoiding suspicious links, and recognizing common social engineering tactics.
The studies show that in order for the training program to be successful, it should fit the profile of the organization: the training should be relevant to the specific needs and risks of the organization, it should be interesting and interactive to keep the employees engaged, it should be continuous, with reminders and renewal of content regularly, and allow provide decision makers with clear data regarding the success of the program.
But what about the cloud?
Most cyber awareness programs don’t focus specifically on the cloud since cloud adoption is a new phenomenon. With little time and very limited attention span by employees and the public, programs will focus on the basics of security. But, with the growing cloud usage organizations can no longer ignore the cloud and must include it as part of their awareness training programs. The good news are that there are several areas in which cloud risks are very similar to “General” cyber risks. If we look at CISA focus areas, we can see an overlap between “generic” and cloud security:
- Use strong passwords: Many cloud security breaches have occurred due to credential theft, re-use of password, default passwords or simply very weak and easy for guess (or crack) passwords. Encouraging the of strong passwords will reduce overall AND cloud security risks.
- Activate two-step verification: As seen in many cloud incidents, lack of M2A facilitates cloud breaches. Enabling MFA for cloud environments will reduce this risk.
- Identify and report phishing: Many phishing attempts are aimed at obtaining cloud credentials, that will later be exploited for cloud breaches. Learning to identify phishing attempts, with a focus on cloud systems credentials theft, can reduce this risk.
Summary
Cybersecurity awareness month is a terrific initiative with proven results with regarding to traditional IT and online usage. Now, with the growing shift to the cloud, it is important to also elevate awareness for cloud hygiene and security practices.
Now you can improve your organization’s cloud security by Subscribing to Skyhawk’s Platform—for Free. This was so successful we are going to extend the free subscription through the end of the year.