Cybersecurity Awareness Month needs a radical overhaul – it needs legislation

Tony Anscombe, global security evangelist at ESET

Tony Anscombe, global security evangelist at ESET

As we enter October, governments, non-profit organizations, cybersecurity vendors and many companies with corporate social responsibility teams are all likely gearing up to push out some useful tips on staying safe online. Without even looking at the official theme of this year’s edition of the campaign, I rattled off the usual advice to a colleague last week – use strong and unique passwords, enable multi-factor authentication (MFA), and avoid clicking on phishing links – and sure enough, I captured almost all the main points of this year’s official “Secure Our World” theme.

Now, given the abundance of such well-intentioned guidance circulating each October, you could be forgiven for thinking that this should be enough to help create a safe and secure cyberspace. But is it, really? Has this advice been effective in driving meaningful behavioral change and in helping address the growing security risks of today and tomorrow? Perhaps it’s time to critically examine the current approach – and to admit that advice alone just doesn’t cut it.

Beyond tips and tricks

After a decade of promoting the same guidance (Cybersecurity Awareness Month itself marks its 21st anniversary this year), it’s time for the industry to have a radical rethink and, alongside doing the talking, legislate and enforce better cybersecurity practices, especially where personally identifiable information (PII) or other data  of value is at stake. I’m not typically a fan of fixing problems with legislation and regulation, but the reality is that we are not seeing progress at the pace that we need to. For example, there are many popular online services and applications still don’t offer MFA, and even if they do, then it’s not enabled by default. Next year’s Cybersecurity Awareness Month could be void of this topic entirely if all companies storing PII are required to enable MFA on all user accounts by default.

Granted, there may be accessibility concerns with MFA enabled by default, and if people who genuinely need to switch it off for some reason then they should be able to opt out. For the rest of the crowd, however, enabling MFA by default should be the norm. Just as many websites currently almost bury the option to enable MFA, they should similarly hide the option to switch it off.

Apple was one of the brave companies in forcing MFA for all users back in 2017. Did they lose users? Did their share price go down? Of course, the answers are “no”. When faced with no alternative, users will adopt an enhanced security practice that keeps their data and stuff safe. Give them a choice and/or make the default off, and many people will take the easier route, even if it may mean compromising their security for convenience.

Another upside of switching MFA on by default for everyone is that it would significantly mitigate the risks associated with password recycling; in other words, a reused password backed by MFA is less likely to cause an issue. However, this is not to say that it’s acceptable to use weak passwords or reuse passwords across sites. What I am saying instead is that the emphasis on strong and unique passwords will decrease, as the added layer of MFA will greatly help prevent credential theft.

Indeed, when something such as credential theft has persisted as a major issue for so long, it’s time for a rethink. We’ve seen effective precedents for this; most notably, the General Data Protection Regulation (GDPR). The European Union (EU) realized that without stringent regulation, companies would continue down the path of least resistance: collecting data and storing it without encryption in what was basically a wild west approach to data protection. It costs money to keep things secure, so tight-pursed Chief Financial Officers would prioritize short-term profit over long-term security. However, GDPR changed this dynamic, as hefty regulatory fines justify the budget for proper data security measures.

Legislation to the rescue

Now imagine Cybersecurity Awareness Month next year without the lecturing about basic security practices such as strong and unique passwords and MFA. After years of hammering these points home, the conversation could finally evolve. The spotlight could shift to rampant scams duping people out of their hard-earned cash. I realize some of this is covered today, but far too often it just gets lost in the shuffle.

To all policy-makers out there: it’s time to shift this conversation and legislate on what some of the industry has failed to implement so that the crucial education on real cybersecurity issues can become the headline.