By this time in September, my inbox is typically overflowing with invitations to webinars and other events celebrating Cybersecurity Awareness Month, which begins tomorrow. This year I’ve received exactly one email – and the mention was part of sponsor content in a newsletter – that mentioned programming aimed at securing our digital lives.
What? Wait a minute! Only one?
Yes, only one and I had to do a search on my inbox to locate it.
I’m not sure if I should be elated because it means I won’t have to buy new batteries for my mouse so it can work overtime or if I should be extremely concerned. Is this situation because our security is in a place where we don’t need to be worried anymore? Are most organizations waiting until October arrives to begin sharing their knowledge or using the event to market their security and privacy products and services? Or has cybersecurity awareness become background noise?
I’m hoping it’s not the latter. We are not at the point yet where we can take our foot off the gas pedal much less hit the brakes. But it does seem like a plausible explanation.
Consider how the response to data breaches has evolved. When Target was breached in 2013 – during the holiday season – security professionals and consumers alike were left stunned. Shoppers changed their habits. Smart retailers decided it was better to restrict access by third party vendors to their information systems. Target paid a fine. Years later the hack is still being used to illustrate how a data breach occurs and the lessons we still need to learn.
Fast forward a few years. There have been many more breaches. Equifax in 2017. Marriott in 2018. CapitalOne in 2019. Solarwinds in 2020.
The list goes on and on and includes retailers, health care facilities and providers, higher ed institutions, and more.
What’s changed is that new breaches are no longer front-page news for days unless they completely disrupt our lives, like the Colonial Pipeline incident did in 2021. Who could forget seeing those lines in Florida and Georgia?
The high visibility of Colonial Pipeline, however, isn’t part of the new normal. A month ago, I received a notice that an account in my daughter’s name had been breached. I thought it was a piece of junk mail until I opened it and saw that it was an official notification that contained the standard “protect yourself” language and suggested she check her credit report.
This month’s disclosure that Uber suffered another data breach was a headline and then it wasn’t. Those who want to read about it or learn from it – a 17-year-old hacker is allegedly responsible – will need to seek out the details via a web search unless they receive tech/security newsletters in their inboxes.
This is all to say that I am concerned. If Cybersecurity Awareness Month has become background noise or is only viewed as a marketing tool rather than a reminder that everyone has a role to play in security, it will only be a matter of time until there are more data breaches. It will be like that security alert from a SIEM (Security Information and Event Management) that everyone knows is a false positive… until one day, it’s not.
Challenge – If you’re a cybersecurity professional, make October the month you share your knowledge and expertise with others and you assess your personal security. If you’re a consumer, take a moment to learn more about cybersecurity and what you can do to protect yourself, your devices, and your data so you don’t become a victim. Businesses? Organizations? I just put new batteries in my mouse, so let me know what you have planned for Cybersecurity Awareness Month by sending me an email at info@thecyberchair.com.