Welcome to October, when everyone in the cybersecurity field stops looking at their monitors all day and spends a month trying to bore hackers to death.
Through webcasts, conferences, and school events, the notion is that National Cybersecurity Awareness Month is supposed to educate everyone else that doesn’t spend the other eleven months working in the field about the dangers that lurk online. In reality, there is little evidence that anybody else is listening. Each year we go through the motions of cybersecurity awareness month and each year users seemingly get dumber.
A whole cottage industry has grown up around National Cybersecurity Awareness Month, yet none of the organizations involved can provide any evidence that it makes a difference. You might think that after spending a month focused on raising cybersecurity awareness, there would be some evidence that click through rates on spear-phishing emails went down. In twelve years none has emerged. Monthly and quarterly trends in every report on cybersecurity are seemingly unaffected.
Part of the problem may be that the practice of designating “months” has gotten out of hand.
In defiance of the Gregorian calendar, Presidents have a long-standing tradition of designating well more than twelve months each year in honor of one cause or another.
Thus far this year, the President has issued proclamations creating 40 different “months”. In addition to naming October National Cybersecurity Awareness Month, it is also National Youth Justice Awareness Month, National Breast Cancer Awareness Month, National Disability Employment Awareness Month, National Domestic Violence Awareness Month, and National Substance Abuse Prevention Month. One half of it is National Hispanic Heritage Month (the other half is the later part of September).
By comparison to these other issues, cybersecurity doesn’t rate. It isn’t a charitable cause. The month is not used to raise funds to move OPM data to secure cloud storage (though that isn’t a bad idea). It is not an unheeded concern (the Washington Post can’t stop reporting on it). Perhaps most significantly, cybersecurity is not an area where focusing on it for a month can have lasting impacts over the next year. If it were, annual FISMA audits would have been useful.
The reality is that if October is anything, it is National Breast Cancer Awareness Month. At many cyber events this month you will see more pink ribbons than NCSAM buttons (the National Cyber Security Awareness Alliance still thinks cybersecurity is two words). The National Breast Cancer Foundation not only uses October to raise funds for the cause but also to get women to take the annual steps recommended for early detection, whether a self-exam or mammogram based on age and other risk factors. In short, it makes sense to focus national attention on breast cancer for a month because it can actually make a difference. If detected early, breast cancer has a five-year survival rate of 100 percent.
September’s National Preparedness month can also pass this test as there are things you can do to prepare for disasters. If National Preparedness Month hadn’t gotten lost amidst the din of five other “months” in September, I might have checked my smoke alarm batteries, replaced expired food in our supply of canned goods, and made sure we had plenty of flashlight batteries.
It may be time to hit the reset button on awareness months. As a public policy tool, it could be useful to actually get the nation to focus on a national problem each month, instead of making multiple designations so that individual constituencies can focus on their own issue for a month. For cybersecurity, perhaps a modest proposal for 2016: National Cybersecurity Awareness Week?