Does the cybersecurity industry have a communications problem?

This year, we’re celebrating the 20th anniversary of the inaugural cyber security awareness month (CSAM), every security practitioner’s most- and least-favourite 31 days.

The month is an opportunity for security vendors to get their exposure in non-traditional channels, and the industry has been presented with ample opportunities recently to do so. Research published earlier this year found that over half of organisations in New Zealand and Australia were hit by a ransomware attack in a six-month period last year. The evolving threat landscape has raised the profile of cybersecurity in the public eye, but just because everyone is now more “aware” of the industry does not actually mean that Australian people are safer from online threats.

We still have a long way to go before we can rest on our laurels, and much of that gap is in ensuring that the general public actually practices good cybersecurity hygiene on a daily basis. In that sense, even though we’re 20 years into CSAM, 2023 isn’t very different from previous years. We have been telling Australian consumers to use unique passwords for years; multi-factor authentication has been around since the early 2000’s, and yet there’s a laundry list of breaches it could have prevented over the last decade. Other basic cybersecurity practices, like regularly patching software and identifying and reporting phishing emails, continue to be underutilised at home and in the workplace.

So, what can we do to improve these behaviours and discourage the not-so-great parts of cybersecurity month? Like any good relationship, we can work on our communication. Cybersecurity Awareness Month is a great investment of time for businesses to participate in, but in order for outreach or education efforts to be fruitful, it has to go beyond just LinkedIn thought leadership. Security vendors that would normally use their spotlight to hawk new technology, should consider investing in outreach through non-traditional consumer channels, like social media platforms. It’s the people who aren’t in the echo chamber of cybersecurity that most need to hear about positive security practices. The industry has historically not prioritised reaching those consumers.

This month should be a reminder that we need to make cybersecurity more accessible. A way to entice those who are unfamiliar with cybersecurity would be for security vendors to offer a service for free in October, allowing customers and the general public to learn about why security matters for free instead of only paying for it after an attack. This method could be especially valuable right now, as phishing attacks become more and more advanced with the evolution of Generative AI.

Social engineering scams, which continue to increase in complexity, will become much harder to discern when attackers use AI models that pull data from the internet to facilitate phishing, smishing, vishing attacks and more. Australian businesses cannot simply depend on their non-IT staff to become cybersecurity experts overnight in this constantly evolving threat landscape. That’s why the vital role that security vendors can play in the next several months will be so important.

The first step in creating a more effective cybersecurity awareness campaign is improving the methods that we, as an industry, use to educate people who aren’t in the industry. Meeting those who need information the most where they’re at is the solution to not just raising awareness, but actually instilling the habits necessary to make everyone safer online. While it’s easier said than done, once we finally get to the point where maintaining proper cyber hygiene is common practice, it’ll be something worth celebrating.