As October comes upon us, we face the reality of long nights, cold weather, the debate on whether to put the heating on, and Cybersecurity Awareness Month.

Now in its 21st year, the US government agency for Cybersecurity and Critical Infrastructure (CISA) said that since the concept was founded in 2004, this is intended to be a time “dedicated for the public and private sectors to work together to raise awareness about the importance of cybersecurity.”

Specifically, CISA claim that Cybersecurity Awareness Month is now “a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk, and generate discussion on cyber threats on a national and global scale.”

Is it Needed?

This does lead me to wonder though, do we still need an awareness month when cyber issues are on the front pages of newspapers and websites on a regular basis? SC UK talked to Tony Neate, CEO of Get Safe Online, who admits that he remembers when the media would only cover a cyber story once a week, and now we’re in a situation where cybercrime has become such a big problem that “trillions are lost to criminals” who use the “digital age and world to con people.”

What I wanted to know was if we still need an awareness month, or are we so aware - and is the public well aware - of major issues? The simple answer is yes, as we are still looking at the most basic form of attack being successful, such as social engineering and the number of ransomware infections continues to grow, whilst we constantly recite advice on regularly applying updates and using strong passwords.

As Neate says though, criminals are still using identity-based attacks using stolen credentials, and we see dating scams continue to be used successfully too, all too often taking advantage of a person’s unlikeliness to check the legitimacy of a sender.

Until the Cybercrime Epidemic Ends

So do we need an awareness month? Neate says that “whether it is once a month or a year, it is still important to do and until the crime epidemic ends,” which he admits he does not see happening any time soon.

Richard Cassidy, CISO of Rubrik, tells SC UK that he believes anything that helps bring most of the user's attention to think more about it not just personally, it is a positive.

“I think we should all agree that it does not matter how much you throw at cybersecurity technology, in many cases it only takes one user to do something they shouldn’t have done and it brings the walls crumbling down,” Cassidy says.

Cassidy says it is important to think about cybersecurity all year round, but he agrees that if there's going to be a month that's going to help focus attention, hearts and minds, “you know that is great, but it needs to continue.”

Image Problem

We seem to be agreed that the awareness month is a good thing, but does it maybe suffer with an image problem? Ian Thornton-Trump, CTO of Octopi Research Labs says that while it is not taken seriously by all, industry figures show that scams and social engineering is killing us – along with any get rich quick scheme related to Bitcoin.

He says maybe one of the reasons why there are questions about how worthwhile it is is down to branding. Thornton-Trump says: “I mean everyone is aware of cyber; it’s like constant on mainstream and social media timelines. I know March is ‘International Fraud Prevention’ month, but maybe we need to rebrand ‘International Cyber Awareness’ to ‘International Cyber Resiliency’ month?

“Focus on the outcome. We don’t just want people to be aware, we want people to be resilient and become, along with their organization harder targets for cybercriminals. Resilient is the new black!”

As Cassidy and Neate said here, it’s better that this month exists than not, and it’s a chance for the industry to reflect upon its state of awareness around the world: are we succeeding, are we getting better, are we even reaching the right people? Maybe as Thornton-Trump says, it has an image problem and we need to give it a refresh in its 21st year to get it to be taken seriously and understand what awareness is all about.

Either way the next iteration of Cybersecurity Awareness Month is upon us and we can enjoy the spotlight of the world upon us for the duration of October. Maybe we need this time to consider how we succeed, and where we go from here.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.