This October marked the twentieth anniversary of ‘Cybersecurity Awareness Month’—a time for organisations to drive home the importance of vigilant behaviour in an increasingly challenging and complex digital world. It’s undoubtedly an important event, but for the slightly more cynical, it can seem like a period where security professionals need to shout even louder to share a message that we should really be thinking about all year round.
While this year’s campaign delivered the all-important (and hopefully familiar) messaging around multi-factor authentication, strong passwords, phishing awareness and software updates, it certainly feels like the backdrop is evolving significantly—especially in terms of the regulation that underpins cyber resilience and reporting. The noise is growing, and legislators are acting. For those of us in comms, we’re tasked with supporting the education and awareness initiative around security and the legislation that’s coming into play.
Regulations, legislations, frustrations?
Almost every compliance team will have a new cyber regulation, or a handful of regulations, that is keeping them up at night. For financial services in the EU (and UK), the Digital Operational Resilience Act or ‘DORA’ is causing more headaches than its explorer namesake. In short, it’s all about boosting resilience for a sector that is now heavily reliant on IT, and mandates changes such as working with more than one cloud provider. The challenge is that organisations only have two years to comply and a major organisational change will be needed to do so.
At the same time, manufacturers, importers and resellers are under scrutiny with the EU Cyber Resilience Act, passed earlier this year with an aim to improve the security of products with digital elements. And on the other side of the pond, The White House Cyber Strategy has tried to tackle issues with the software supply chain in the wake of attacks like SolarWinds and the chaos of Log4J.
Finally, making headlines recently is the controversial new rules put in place by the SEC, stating that public companies (in the US) must disclose cyber incidents within four days. This has unsurprisingly been met with concern and pushback. With so many evolving rules and regulations, cybersecurity leaders are no doubt feeling the strain, some frustrated and others burnt out. As quoted in the Cyber Awareness Month study from Assured Intelligence, “pressure to stay up-to-date with emerging technologies, evolving attack methods, and compliance regulations can be overwhelming”.
Cyber comms: driving a year-round security message
Reducing this frustration starts with education and awareness. There’s no question that regulations can sometimes be complex, wordy and inaccessible, so the comms around what they are and how they will affect different businesses or individuals has an important role to play. It’s also worth ensuring that the key messages are shared widely, across an organisation and not simply to the IT and security teams. New regulations mean everyone has a role to play in cyber: DORA shifts the responsibility to the Board, while the SEC rules mean organisations need effective, efficient collaboration to meet the four-day deadline.
With so many changing requirements, and how many people need to be informed, shouldn’t every month be Cybersecurity Awareness Month? New regulations, the increasing sophistication and diversification of threats, plus our reliance on technology means everyone in an organisation should be thinking about cybersecurity every day.
But maybe this misses the point of Cybersecurity Awareness Month. It’s perhaps less about taking one month of the year to think about cybersecurity, and more about creating a foundation of knowledge with messages that can resonate year-round and hopefully help teams struggling with compliance. Just as long as that foundation lasts into November and beyond.