Cybersecurity Awareness Month Needs A Radical Overhaul – It Needs Legislation

Digital Security

Despite their benefits, consciousness campaigns unsocial are not capable to promote wide take of cybersecurity champion practices

01 Oct 2024  •  , 3 min. read

As we participate October, governments, non-profit organizations, cybersecurity vendors and galore companies pinch firm societal work teams are each apt gearing up to push retired immoderate useful tips connected staying safe online. Without moreover looking astatine nan official taxable of this year’s version of nan campaign, I rattled disconnected nan accustomed proposal to a workfellow past week – usage strong and unsocial passwords, alteration multi-factor authentication (MFA), and avoid clicking connected phishing links – and judge enough, I captured almost each nan main points of this year’s charismatic “Secure Our World” theme.

Now, fixed nan abundance of specified well-intentioned guidance circulating each October, you could beryllium forgiven for reasoning that this should beryllium capable to thief create a safe and unafraid cyberspace. But is it, really? Has this proposal been effective successful driving meaningful behavioral alteration and successful helping reside nan increasing information risks of coming and tomorrow? Perhaps it’s clip to critically analyse nan existent attack – and to admit that proposal unsocial conscionable doesn’t trim it.

Beyond tips and tricks

After a decade of promoting nan aforesaid guidance (Cybersecurity Awareness Month itself marks its 21st day this year), it’s clip for nan manufacture to person a extremist rethink and, alongside doing nan talking, legislate and enforce amended cybersecurity practices, particularly wherever personally identifiable accusation (PII) aliases different information  of worth is astatine stake. I’m not typically a instrumentality of fixing problems pinch authorities and regulation, but nan reality is that we are not seeing advancement astatine nan gait that we request to. For example, location are galore celebrated online services and applications still don’t connection MFA, and moreover if they do, past it’s not enabled by default. Next year’s Cybersecurity Awareness Month could beryllium void of this taxable wholly if each companies storing PII are required to alteration MFA connected each personification accounts by default.

Granted, location whitethorn beryllium accessibility concerns pinch MFA enabled by default, and if group who genuinely request to move it disconnected for immoderate logic past they should beryllium capable to opt out. For nan remainder of nan crowd, however, enabling MFA by default should beryllium nan norm. Just arsenic galore websites presently almost hide nan action to alteration MFA, they should likewise hide nan action to move it off.

Apple was 1 of nan brave companies successful forcing MFA for each users backmost successful 2017. Did they suffer users? Did their stock value spell down? Of course, nan answers are “no”. When faced pinch nary alternative, users will adopt an enhanced information believe that keeps their information and worldly safe. Give them a prime and/or make nan default off, and galore group will return nan easier route, moreover if it whitethorn mean compromising their information for convenience.

Another upside of switching MFA connected by default for everyone is that it would importantly mitigate nan risks associated pinch password recycling; successful different words, a reused password backed by MFA is little apt to origin an issue. However, this is not to opportunity that it’s acceptable to usage anemic passwords aliases reuse passwords crossed sites. What I americium saying alternatively is that nan accent connected beardown and unsocial passwords will decrease, arsenic nan added furniture of MFA will greatly thief forestall credential theft.

Indeed, erstwhile thing specified arsenic credential theft has persisted arsenic a awesome rumor for truthful long, it’s clip for a rethink. We’ve seen effective precedents for this; astir notably, nan General Data Protection Regulation (GDPR). The European Union (EU) realized that without stringent regulation, companies would proceed down nan way of slightest resistance: collecting information and storing it without encryption successful what was fundamentally a chaotic westbound attack to information protection. It costs money to support things secure, truthful tight-pursed Chief Financial Officers would prioritize short-term profit complete semipermanent security. However, GDPR changed this dynamic, arsenic hefty regulatory fines warrant nan fund for due information information measures.

Legislation to nan rescue

Now ideate Cybersecurity Awareness Month adjacent twelvemonth without nan lecturing astir basal information practices specified arsenic beardown and unsocial passwords and MFA. After years of hammering these points home, nan speech could yet evolve. The spotlight could displacement to rampant scams duping group retired of their hard-earned cash. I recognize immoderate of this is covered today, but acold excessively often it conscionable gets mislaid successful nan shuffle.

To each policy-makers retired there: it’s clip to displacement this speech and legislate connected what immoderate of nan manufacture has grounded to instrumentality truthful that nan important acquisition connected existent cybersecurity issues tin go nan headline.