This October marks fifteen years of “October is National Cyber Security Month,” and the results since 2004 have shown the limits of this program. According to the Identity Theft Resource Center, there were 157 breaches in 2005 (a year after the October is National Cyber Security Month program started), and these have increased by nearly 8x to 1,251 breaches in 2018. The Privacy Rights Clearinghouse only shows a nearly 5x increase in breaches (136 breaches in 2005 vs. 668 breaches in 2018). No published report shows a decrease in the number of breaches since 2004. We’re not winning.
The public has largely come to believe all hackers and cyber security professionals are white men wearing hoodies in dark rooms. This belief is so prevalent that the Hewlett Foundation is running a contest to reimagine cyber security imagery so that media outlets will have a new visual language that doesn’t reinforce these damaging and inaccurate stereotypes. The perception that cyber security is a male-oriented field has led to a hiring shortage for cyber security jobs, a lack of diversity, and the risk of groupthink. Just 24% of the workforce is female, according to (ISC)2. Cyber Security Ventures is predicting that 3.5 million cyber security jobs will go unfilled by 2021, which is only going to make matters worse.
A Cyber Security Breach Is Everyone’s Problem
Despite the increase in breaches and problems of attracting a diverse workforce, big businesses have not suffered. Home Depot, Target, Marriott, and Equifax were all breached in the past fifteen years, yet their stock prices have climbed since the breaches. However, the public has been harmed by identity theft resulting from breaches, and they’re bringing that problem to work. According to the latest Aftermath study, victims of identity theft overwhelmingly feel worried, angry, and frustrated. They’re very dissatisfied with the remediation process. The emotional toll causes them to get into more arguments with family and friends, and over 40% go into debt or cannot pay their bills because of the costs associated with identity theft. And 32% of respondents identified that these security breaches caused problems for them at their place of employment (either with their boss or coworkers).
There’s a communications breakdown between those working in cyber security and those who are not. This failure to communicate is leading to the greatest transfer of wealth in history. People aren’t seeking actionable advice during “October is National Cyber Security Month”, and they’re tuning out of their mandatory corporate drop-ceiling one-hour cyber security training in the breakroom. Even though individuals are harmed, there’s the persistent belief that this must be someone else’s problem.
Building The Cyber Workforce Of The Future
This is a great opportunity for individual practitioners and organizations with cyber security professionals to connect with their local community. Organizations can use this organic, decentralized outreach to show their commitment to cyber security and to building the workforce of the future.
Step 1. Find a community association and pick a topic. For example:
Talk to your local Chamber of Commerce about the effects of cybercrime on small business and talk about the trends in targeted ransomware attacks; or,
Talk to your local Accountant’s association about the risks of reputational damage associated with losing personally identifiable information; or,
Talk to your local Realtor’s association about Business Email Compromise; or,
Go back to your middle or high school and talk about careers in cyber security. Don’t just talk about the daily dumpster fire, talk about the fun parts of the job, the hiring gap, and the starting salaries; or,
Book a public library meeting room for free and offer basic cyber security training to low-income families; or,
Open your office after hours for a community event on managing and reducing individual cyber risks associated with account takeover attacks
For more ideas, Google your state’s name and “Associations and Organizations,” like “Washington State Associations and Organizations.” Pick one. You’re probably going to be the first person or organization who’s not trying to sell them something related to cyber security as part of their presentation.
Step 2. Pick a date. It need not be in October. Cyberattacks don’t magically go down in November because of the national campaign. Run your own local educational campaign.
Step 3. Create a presentation. It doesn’t need to be long, but it does need to be actionable. In addition to the topic you’ve chosen, teach the audience two new skills: multi-factor authentication (MFA) and a password manager. Pick any reputable MFA and any reputable password manager. This is based on multiple research reports showing the benefits of MFA compared to a single factor, and the benefits of using unique, random passwords. Skip the off-putting matrix-inspired graphics and the industry-specific acronyms.
Step 4. Present. Although presenting doesn’t come naturally to most people and speaking and extemporaneous speaking is one of the top fears of many adults, weigh that individual fear compared to the continuing damages to society due to breaches. You can make a positive difference in the lives of others.
Step 5. Take questions. Finally, take time at the end of your presentation to help dispel any myths or to address any concerns from the audience. Use as few technical terms as feasible.
Ignoring the communications gap in cyber security isn’t going to make it go away, and it’s unrealistic to think someone else is responsible for teaching others about cyber security. Working together, cyber security professionals can help to change the course of history and reduce the harm that cyberattacks have on families and individuals. When those individuals go back to work, they’ll be more aware of cyber threats and how to reduce the risks to their organizations.