October 15, 2024

Author: Mike Britton, Chief Information Security Officer, Abnormal Security

October is upon us, and as we embrace the start of this spooky season, it’s also time to spotlight something even scarier than ghouls and goblins: cyber threats. Welcome to Cybersecurity Awareness Month! For more than two decades, October has been a time for organizations to evaluate their cybersecurity practices and identify areas for improvement.

I’ve always felt that this is the perfect time of the year to focus on cybersecurity awareness. Spooky decorations with banshees and boogeymen are everywhere you go, acting as reminders of the sinister cyber threats lurking in your cloud environment.

While security education and training should, of course, be an ongoing initiative, Cybersecurity Awareness Month presents a unique opportunity for security leaders to emphasize the behaviors, tools, and resources that can help employees support the security of the organization year-round.

Celebrating Cybersecurity Awareness Month

Cybersecurity Awareness Month is the security leadership team’s chance to highlight the importance of every employee’s role in an organization’s security. It’s an ideal occasion to remind them that being security-savvy protects not only the organization but also its workforce.

I recognize that finding the right activities to share the message can be difficult—especially with remote teams. That’s why I recommend partnering with your marketing and corporate communications team and leveraging their creativity and expertise to get the message out to your audience.

Here are some ideas from my experience as CISO and some of my plans for promoting cybersecurity awareness here at Abnormal.

Underscore the personal value

Would-be scammers target people and businesses, so any advice should encompass both the personal and the company context. An employee who becomes a victim of identity theft or extortion is a distracted employee and, ultimately, a potential risk to the organization.

Teaching employees how to keep their kids safe online or fine-tune their social media accounts to protect their privacy can also be beneficial. In my experience, employees appreciate that we care about their safety. Plus, cybercriminals look at personal accounts to access professional ones, often hoping that people will use the same password across websites.

Prioritize the personal impact, and they’re more likely to participate.

Make it memorable

The consequences of cybercrime can be sobering, but the best way to ensure employees retain information is to keep it concise and memorable—and include humor. We’re all human, after all. The most impactful training materials are the ones that find the right balance between informative and engaging.

For example, our Cybersecurity Awareness Month Resources are centered around the Abnormal Anomalies—characters that represent eight of the most common attack types targeting today’s enterprises. This approach injects a little personality into security awareness and education and makes it more enjoyable.

Another option is fun stickers that include slogans or reminders for employees to lock their screens or use complex passwords, which keep the concept front and center as a ready reminder. You can send these out in early October as a way to celebrate the month.

Keep it fun

Gamification, competition, and giveaways are much more effective ways to encourage employee participation than making them watch boring role-training videos.

Using a game like BINGO or a scavenger hunt that requires employees to dig into the security documentation to find policies like the minimum password character requirement gets them beyond the quick skim. You can also use online phishing quizzes or remote games like Kahoot to encourage participation.

Our Cybersecurity Awareness Month Resources include six different games to help make improving detection skills more entertaining. We also have a Human or ChatGPT? Quiz that allows employees to test how well they can tell the difference between human-generated malicious emails and AI-generated.

Remember: Rewarding participants with prizes will continue to reinforce good habits long after the month is over.

Include guest speakers

Your employees may be tired of hearing the same information from members of your internal team or via the training videos in your learning management tools.

Creating a Lunch and Learn event and inviting a guest speaker is a fun way to engage your employees and provides a new opportunity to reinforce the message. In the past, I’ve had members of the FBI speak, and it’s always been a hit. Security vendors are also always willing to discuss security trends and how employees can protect themselves.

Start a year-long program

Determine which activities inspire the most awareness and participation and use that information to create a year-long training calendar. Continue to keep cybersecurity top of mind with new activities, which can be particularly helpful as new people join your team.

Create a Cybersecurity Happy Hour, ask security professionals to speak at a Lunch and Learn once a month, or ask employees to spend 30 minutes each month on a quick activity to keep the momentum.

This month is your chance to get people excited, so they continue to think about cybersecurity throughout the rest of the year.

Responding to the generative AI threat

The influence of AI on cybercrime over the past two years has been undeniable.

A growing number of cybercriminals are weaponizing generative AI to craft unique and personalized messages that no longer include the telltale grammar and syntax mistakes of the past—making email attacks increasingly difficult to detect.

To combat the malicious applications of generative AI, it’s crucial for organizations to continually foster an environment of awareness and encourage employees to err on the side of “better safe than sorry.” Enterprises must also develop and implement robust defenses, enhance detection capabilities, and stay vigilant to emerging threats—before they become the next victim of an AI-generated attack.

Our white paper The Rise, Use, and Future of Malicious Al: A Hacker’s Insight, authored by ethical hacker FreakyClown (FC), provides a firsthand look at the tactics used by threat actors leveraging AI. Additionally, our threat report AI Unleashed: 5 Real-World Email Attacks Likely Generated by AI in 2023 includes real-world examples of malicious emails that were likely generated by AI. We recommend sharing these with your employees to provide them with insights into how modern cybercriminals operate.

Committing to Cybersecurity Awareness all year long

As has been the case for most of this year, October will fly by quickly, and everyone will move on from Cybersecurity Awareness Month. If you are responsible for your company’s cybersecurity program, make sure you take full advantage of the momentum that October can bring to keep your employees engaged and cyber-focused throughout the year.

Continue to look for unique ways to interact and try to find fun, bite-sized ways to keep attention on protecting employees and the company. After all, cybercriminals are hard at work the entire year—and you should be, too.

*** This is a Security Bloggers Network syndicated blog from The Guiding Point | GuidePoint Security authored by Ben MartinMooney. Read the original post at: https://www.guidepointsecurity.com/blog/cybersecurity-awareness-month-how-cisos-can-engage-educate-and-empower/