The month of October is National Cybersecurity Awareness month. While the designation may be a helpful way to emphasize the need for greater awareness of businesses and individuals in how we use technology, to believe one month of awareness is enough may be selling the threat a bit short. November 1 is the anniversary of the mandatory breach notifications embedded into Canadian PIPEDA law and the impacts of cyber threats extend beyond the month of October.

To be fair, cybersecurity shouldn’t be treated as the flavor of the month. We need greater emphasis on it each and every day, for one simple reason; the greatest cybersecurity threat of all is the human element. While it’s tempting to believe that by developing more advanced and secure technologies, we’ll be able to put the cybercrime out of business. This is a pipe dream. Although security technology is significantly better than it was just a couple years ago, it nevertheless contains one inescapable liability: it is only as effective as the humans who use it.

Today’s cybersecurity environment is intimidating, and it’s clear that we must always be in a state of hypervigilance. Cyber criminals aren’t going anywhere and they are becoming more aggressive and more sophisticated with each passing year.

Background

In August, Facebook reported that it left a database containing 419 million records unprotected, without a password. Further, if we look at the major data breaches over the last several years; Equifax, Target, Sony, etc., their origin point of vulnerability was access directly attributable to weak authentication; in other words, weak passwords.

These incidents, and many others like them, serve as a reminder that while we can reduce and manage the number of cyber incidents, it’s largely implausible to believe we’re ever going to eliminate them. Cyber criminals ultimately focus on the path of least resistance and the low-hanging fruit is human behavior. Therefore, it is a fair statement that the top priority should not be acquiring the most advanced cybersecurity technologies, but rather, educating your organization’s workforce. Businesses of all sizes must recognize that employees are the most vulnerable access point for a data breach. It is especially valuable to work with human resources department to incorporate cybersecurity education into employee on-boarding, moulding a culture of cyber security from the ground up.

Organizations need to focus on human behavior and make it a priority to build the foundation for a reliable, powerful culture of security. These efforts alone will pay dividends and see an increased return on future investments in security technology by developing an educated and informed workforce.

Cyberthreat: Adapting to Change

Organizations also need to acknowledge that a key component of security is adaptability, and adaptability does not mean reconstructing the original, but rather, learning from experiences so that you’re prepared for the future. Natural disasters can provide a useful point for comparison. Would it make any sense to rebuild physical infrastructure to the same code as before the disaster? Or would it make more sense to design the rebuild to withstand an event greater event than the one that failed in the first place? A similar approach should be taken with cyber events. Network infrastructure should be developed to withstand anticipated future threats, based on what you have learned from the breach.

Wrapping Up

Fortunately, organizations across all industries have an increasing awareness surrounding the importance of their cyber security. Unfortunately, there is a still a way to go and a surmounting need to invest more in cybersecurity training and awareness for employees at all levels. Businesses need to ensure that everyone understands how one simple human mistake can put the entire company at risk. Creating a culture of security, from the ground up, should be a principal corporate priority because cybersecurity is fundamental to the mission of every business.
Human behavior is the foundation for cybersecurity. That memo needs to be delivered and exemplified not just in October, but every month.