As November begins the holiday flurry—which now includes the highest uptick in online shopping for the year—let’s take a moment to reflect on October, National Cyber Security Awareness Month (NCSAM). While I applaud the efforts of the White House and the Department of Homeland Security to promote the occasion, I’m afraid the effort has fallen terribly short. What real improvements have been made to our national ability to be safer in cyberspace? How many home users, small businesses, or students are better prepared to navigate the dangers of online predators, hackers, and criminals?
Almost two and a half years ago the White House released the results of the President’s Cyberspace Policy Review along with a set of 10 “near term” action items. Number six on that list stated, “Initiate a national public awareness and education campaign to promote cybersecurity.” Other than each October’s NCSAM exercise, it’s hard to find evidence of a nationwide, sustained effort to build the awareness and education we need to raise the bar in our fight against ongoing cyber attacks.
To affect real change, our government agencies and industry partners must align for collaborative cybersecurity detection, prevention, mitigation and response. With the proliferation of cyber attacks, identity and intellectual property theft now representing a true cyber epidemic, such an effort is long overdue.
This ain’t hard—once we begin
The good news is that we already have a proven, successful model that provides us with a roadmap for how to proceed—and to enlist all members of our society, because we all have a role.
In 2009, the world reacted to the credible threat of a potential global H1N1 epidemic. In the United States, awareness and education campaigns demonstrated a coordinated, comprehensive, and committed effort led by the U. S. Department of Health and Human Services, the Centers for Disease Control, the Department of Homeland Security, and other agencies of the U. S. Government. State and local governments, academic and nonprofit institutions, and the private sector launched similar efforts. We all mobilized to protect the American people from the threat of a medical epidemic.
Much of that effort was focused on teaching citizens about best practices to protect themselves from being infected by the H1N1 virus. We all remember the simple guidance we received every day, at home, in our cars, and everywhere we traveled: wash your hands often; cough into your sleeve not your hand; avoid close contact with others; clean surfaces; stay home if infected and so on.
It strikes me that, with very little translation required, these ‘stay safe’ messages are also precisely what’s needed to build awareness and use of simple, but effective ‘cyber hygiene’ practices. Condensed into a short series of ‘Top Cybersecurity Tips,’ these practices could populate a comprehensive and sustained campaign to teach citizens, small business, schools, and other institutions about how to protect themselves from the very dangerous and pervasive threats in cyberspace.
The National Security Agency estimates that 80 percent of the exploitable vulnerabilities on government computers can be thwarted by basic cyber hygiene—simple steps that we all can implement to protect ourselves, and make it more difficult for the bad guys. Such efforts do not require large investments or IT staff. Some studies have found that a small percentage of data breaches would have required difficult or expensive preventive measures.
For starters, here are some basic cybersecurity hygiene tips:
Keep your security software (firewalls, anti-virus/spyware) and operating system up-to-date
Protect your personal information online; change your password periodically
Scan your computer for vulnerabilities on a regular basis
Don’t open attachments from untrusted sources
Secure your mobile phone, too (including secure access to your corporate files)
Backup your data regularly
Learn what to do if something goes wrong, or if you encounter suspicious activity
Sounds simple, right? Well, it is—once you know what to do, and are regularly reminded to do it, at a time and place where you can act. Hence the need for a national, sustained campaign, led by the White House and the Department of Homeland Security, joined by all federal departments and agencies—especially those with high levels of direct citizen or business interactions (e.g., the Postal Service, Small Business Administration, Internal Revenue Service, etc.).
We all have a stake in our global cyber security. In addition to the leadership role of the federal government, an effort of this magnitude will also require the involvement of industry and state and local government leaders at all levels, as well as higher-ed and K-12 academic organizations, Internet service providers, and a broad range of other partners and stakeholders in the public and private sectors. Some nonprofit organizations, such as the National Cyber Security Alliance, Center for Internet Security, and Internet Security Alliance are already involved—but we need more.
Our nation is facing a crisis of epidemic proportions. I don’t profess to claim that national awareness and prevention campaigns can alone solve our cybersecurity challenges, but—as with the H1N1 virus experience—we do need a comprehensive and sustained national education and awareness effort to help us all understand how to better protect ourselves as we use and enjoy the many benefits of cyberspace.