Cyber Security Awareness Month - do we truly need it?

Yes, it is October and since 2004 it's also the Cybersecurity Awareness Month. There's a lot on my mind right away, starting with the questions what really drives cyber awareness in organizations. Far too often we still operate in enterprise-wide campaigns around online security and compliance trainings with a few validation questions at the end. Does that really create security awareness? Without linking it to day-to-day business and concrete and tangible examples for the users? I don't think so! It is necessary to create a connection to the daily business and to demonstrate with meaningful examples of how professional cyber criminals act today. Let's just take attacks via the supply chain, targeted phishing attacks or similar examples. Away from standard trainings check a box for an ISO 27001 certification, towards real and sustainable awareness trainings.

Another topic is the omnipresent threat of ransomware attacks. The possible loss of production, declining customer satisfaction and other effects can threaten the existence of companies. This insight is growing in all industries and, in parallel in the IT and security departments, as well more and more in the boardrooms. Insight is one dimension, it is also important to act accordingly. The necessary security measures and recovery procedures must be implemented and put into practice. Already in the 90's I discussed with my clients topics around high availability as well as backup and recovery. Even then, the focus was too often on backup. Against the backdrop of the threat posed by ransomware, the topic of recovery and point in time recovery is more important than ever.

Today, everything is inter-connected and we have open environments. Cloud or multi-cloud is a reality. The boundaries between IT and OT are disappearing or have already merged. Cyber crime is more than ever a business risk and not an IT risk. Cyber attacks threaten the existence of companies - especially when well organized groups or nation state cyber crime comes into play.

Is this all new? No! So why do we still need Cybersecurity Awareness Month? It should already be common knowledge. However, we still see attacks that take companies by surprise or fundamental security mechanisms or operational processes (for example patching process, backup & recovery, identity and federation management, network segmentation or zero trust concepts, etc.) not been implemented in the context of cybersecurity. Employees tend to underestimate their role and importance in cyber defense, or do not anticipate the patience and meticulous preparation of cyber criminals to outsmart them. It is still a profitable money game, and criminals work hard and with a lot of creativity to get access to key data and systems.

Let's face it, sometimes criminals don't have to be that sophisticated. Mirko Ross , a top cybersecurity expert recently wrote a great article about his observations highlighting what "not to do". I can only recommend his article and I am sure it will make you smirk.

Back to the initial question in the headline "Do we truly need a Cybersecurity Awareness Month?" From my point of view: Yes, it is good and important having it! We are transforming our business, digitizing our processes and finding completely new ways to interact with customers and business partners. The simple reality is that none of this works without cybersecurity. There is and will be no successful digitization without cyber security!

I deliberately chose the image of meerkats for this "Beyond Technology" post. They are always very careful and observe their environment with great vigilance. I think we can learn from them.

So here is the call for action: Let’s be vigilant together and make sure that cybersecurity is not an excuse for slow digitization and lack of innovation.

We all are part of cybersecurity. "See Yourself in Cyber" and please be aware - be cyber aware!