Cyber Defense Advisors

This Cybersecurity Awareness Month, the focus is on education

This October marks the 20th annual Cybersecurity Awareness Month. While it was initially founded as a national movement in the US, Cybersecurity Awareness Month has since grown into a global initiative. And for good reason.

Today’s cybersecurity market is suffering from a skills gap of 3.4 million trained professionals, with security practitioners being overwhelmed by a continuous onslaught of increasingly sophisticated attacks while having to educate their organizations. The average cost of a data breach in 2022 was $4.35 million, providing a strong incentive for attackers to do whatever is necessary to compromise potentially valuable networks. And what is the first and last line of defense for organizations against cybercrime? People.

According to research by Standford, human error accounts for more than 80% of cybersecurity incidents. This trend points to the growing need for awareness and education in the cybersecurity space–not just for prospective security professionals but also everyday citizens. After all, cybersecurity is everyone’s responsibility, and safe behaviors online range from regular day-to-day tasks at home to professional settings. That’s why Microsoft partners with the National Cybersecurity Alliance, CISA, and organizations worldwide to amplify the importance of cybersecurity best practices and to expand the understanding of how to be cyber smart.

Read on to learn more about how you can better educate your organization on the fundamental elements of cybersecurity and take the next step for cyber resilience.

4 key focus areas for cybersecurity education

The rise of hybrid work, an ever-increasing external attack surface, and the daily threat of increasingly sophisticated cyberattacks have made people the primary threat vector. Humans, paired with the right technology, are the biggest asset towards fighting cybercrime in an organization, and cybersecurity awareness programs are key to enabling security teams to effectively manage human risk by changing how people think about cybersecurity and helping them exhibit secure behaviors.

According to the recently published 2023 Microsoft Digital Defense Report, basic security hygiene still protects against 99% of attacks. This is great news for CISOs, as it underscores that not everyone needs to become a cybersecurity expert. Instead, it is vital to raise the bar broadly on cybersecurity awareness and education so that everyone has a role to play in securing organizations.

Here are four core tips to focus on when increasing cybersecurity education in your organization:

Protect devices: Ensuring software is kept up to date with the latest security updates and patches is one of the most effective ways to protect internet-connected devices. Employees can make this process easier by setting up automatic software updates to make the process smoother and decrease the risk of vulnerabilities that can let in ransomware and other malware. We also recommend teaching employees how to check privacy and security settings to ensure they’re set to the desired level of information-sharing any time the employee signs up for a new account, downloads an app, or acquires a new device.

Passwordless is the key: Hackers don’t break in–they sign in. So a good way to protect one of attackers’ most common entry points is by going passwordless with authentication solutions. When passwords are needed, encourage employees to use their browser’s password generator to create stronger passwords. When creating passwords, remember that length matters more than complexity. All passwords should be at least 12 characters long and can be tracked using password managers.

Multifactor authentication is a must: Multifactor authentication can protect 99.2% of account attacks by offering stronger security than relying solely on passwords. Employees should be reminded to check devices, apps, and account settings to enable multifactor authentication, such as one-time codes or biometrics.

Phishing only works if you take the bait: The average attacker needs just 1 hour and 12 minutes to access private data after users fall victim to a phishing email. Complacency can lead to clicking on a malicious link in an email, phone message, or social post. So, how can you better teach users to avoid taking the bait? First, it’s important to check the sender’s email address for verifiable contact information and phishing tip-offs such as an unrelated sender address. If employees are in doubt for any reason, they should not reply. Likewise, users should never click on links or open email attachments without first verifying the sender.

Ultimately, organizations play a vital role in fostering cybersecurity awareness among their employees and communities. By emphasizing the importance of cybersecurity, organizations can encourage individuals to adopt best practices and ensure the safety of their digital environments. While these safe behaviors are important, blending user-friendly practices with cutting-edge tech like generative AI, security teams can boost efficiency and keep a sharp eye on threats, freeing them up for hands-on cyber defense work. This heightened awareness and approachability not only strengthens protection against cyber threats but also helps attract new talent to the ever-evolving industry, which is in dire need of more skilled professionals to combat escalating cybercrime.

To learn more about current cybersecurity best practices, visit the Microsoft Cybersecurity Awareness Website to download your Be Cybersmart Kit and check out available educational resources. Also, visit Microsoft Security Insider for the latest threat intelligence insights and get guidance to help your organization increase its cyber resilience.

Security