It’s that time of the year again! The cybersecurity awareness month, October, is coming up. CISOs worldwide, such as yourself, are looking for ways to leverage this month-long event to promote cybersecurity awareness throughout the organization.
Creating and executing an innovative and engaging plan for cybersecurity month – one that accounts for the versatility in target personas, changes in attack surfaces, and global cybercrime trends – can be challenging, even for the most experienced CISOs. So what can you do to make your organizational, national cybersecurity awareness month (NCSAM) plans in 2023 effective and engaging? And what themes and topics should you focus on in producing your resources and communications for this year’s cybersecurity awareness month?
Before we answer these questions and arm you with a CISO NCSAM 2023 Toolkit, let’s quickly look at the history of the cybersecurity awareness month and its themes and focus points for this year.
What is the Cybersecurity Awareness Month?
Ideally, every month is cybersecurity awareness month, with continuous and personalized cybersecurity and cyber-literacy training available to employees throughout the year. However, having four consecutive weeks to set the base for your year-round employee cybersecurity awareness and upskilling strategy is incredibly beneficial. The added fact that it is official and national increases the chances of your NCSAM initiatives receiving C-suite approval and cooperation.
Cybersecurity Awareness Month was launched by the American National Cybersecurity Alliance and the U.S. Department of Homeland Security (DHS) in October 2004 and dubbed “a broad effort to help all Americans stay safer and more secure online.” Initially, awareness efforts were focused on points like antivirus updates and rogue external devices.
In 2023, Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). Since its inception, the reach of Cybersecurity Awareness Month has grown exponentially to include consumers, businesses, corporations, and educational institutions in the US. Moreover, the American tradition was adopted in Europe by ENISA and in Canada by the Communications Security Establishment, with advice from its Canadian Centre for Cyber Security.
What is the theme for the cybersecurity awareness month in 2023?
The local themes for the US, Canada, and European cybersecurity awareness month were just recently published, with different themes to lead in 2023:
Canada
The Canadian government decided to turn up the heat and get Canadians in shape with the theme “Step up your cyber fitness.” According to the campaign website: “It’s all about stretching your cyber security muscles and taking things one step at a time!”
Marked with the hashtag #CyberMonth2023, the Canadian government offers plenty of resources to Canadian businesses, including a five week-by-week plan with weeks themed as Warmup Week, Account Workout, Learning self-defense, Maintaining Muscle, and Strength in Numbers. In addition, the website offers some theme-agnostic resources you can employ in your activities, like social media graphics, messages, and backgrounds for video conferences.
European Union
In Europe, the initiative coordinated by ENISA and the European Commission to raise cyber security awareness in Europe is taking a pop-culture turn in 2023 with the key theme for the European Cybersecurity Month “Become a Cyber Hero.”
According to the GÉANT website, the CSM23 awareness campaign will feature weekly short videos with experts’ tips and tricks, in-depth interviews with Cyber Heroes within the community, a weekly webinar on a specific security awareness topic, and more.
USA
In the United States, 2023 marks 20 Years of Cybersecurity Awareness Month, and the theme is the journey of security education and awareness in that time and where it should continue in order to fulfill the vision of a secure, interconnected world.
Businesses that register to participate will get access to content and resources they can employ in their organizations’ NCSAM activities. In addition, some of the planned events are open to the public, like the scheduled Twitter (now X) chat with @staysafeonline on October 11, 2023, at 2:00 pm ET.
4 key focus behaviors
The US national cybersecurity awareness month, unlike the Canadian one, will not focus on weekly themes but instead on four key behaviors in users that your campaign should address. The reason these behaviors were chosen is that they aim to be both simple and actionable for both individuals and businesses. Per the campaign website, these messages will provide the basis for Cybersecurity Awareness Month resources, events and presentations throughout the month.
It’s worth noting that at the time of writing, some of the resources available on the staysafeonline.org website are dated 2022 (when the same key behaviors were the focus of the messaging) but may be updated in the very near future.
1. Enabling multi-factor authentication
Multi-factor authentication in a business context in 2023 is not about enabling, but rather about enforcing it. With most (if not all) potentially vulnerable business applications today offering (and recommending that) admins enforce MFA, it’s mostly a matter of implementing the security policy while ensuring the users understand why they have to enter two (or more) passwords to use applications that access sensitive data.
2. Using strong passwords and a password manager
Much like MFA enforcement, in a business environment, the use of strong passwords can be automatically enforced, and password managers can be managed centrally by system administrators to ensure a seamless and secure user experience for all employees. This October may be an opportune time to introduce such tools and policies and showcase their benefits and value to employees and the C-suite.
3. Updating software
It may seem a little outdated, but the recommendation to keep installed applications and the operating system patched with the latest updates is still valid in 2023. When it comes to systems used continuously at the edge, software updates may “fall between the cracks” with everyone using the system assuming it’s someone else’s job to press the restart button. An excellent way to look at this focus point is through the lens of ownership, with clear and actionable guidelines for everyone.
4. Recognizing and reporting phishing
This key focus behavior is one you cannot enforce through technological tools. No matter how much effort or resources you put into email scanning and end-user fraud prevention tools, at the end of the day the person in front of the screen decides to click on an attachment file or enter their credentials on a fraudulent website.
Detecting the various forms of phishing, regardless of the medium (email, social media, text messages, or phone calls), was never really easy. In 2023, recognizing phishing and potential attempts to defraud individuals and businesses is harder than ever before, much due to the broad availability of generative AI tools.
How generative AI changes everything
With the theme of this year’s national cybersecurity awareness month revolving around looking back at the last 20 years of cybersecurity awareness, the change in recent years is quite clear – the rise of LLMs and GenAI across and throughout industries and verticals – including cybercriminals.
Generative AI has proven to be a dangerous weapon in the hands of cybercriminals and a potential attack vector. With tools like FraudGPT available on the Dark Web, cybercriminals no longer need to draft phishing emails or create authentic-looking landing pages – the AI does it for them.
In preparation for cybersecurity awareness month, you must consider the impact of AI-generated phishing campaigns on employees’ ability to recognize phishing attempts that are free of bad spelling and crafted based on the success rates of previous phishing campaigns.
We at CybeReady have your back, with a toolkit of resources designed to help you train employees across departments and with varying levels of technical expertise in detecting the tell-tale signs of phishing as attempts get increasingly sophisticated.
Outsmarting AI-based phishing attacks: The Dark Side of AI at Work CISO Toolkit from Cybeready
To help you train your employees on the dangers of AI, we have prepared a customized training toolkit for NCSAM 2023 with insights and messages you can include in your campaigns. For example, we offer tips for identifying phishing emails in the age of generative AI, how to use AI tools without introducing business risks, and how to stay vigilant in the face of evolving cyber threats.
