In October 2019, the UK’s National Cyber Security Centre’s (NCSC) last ever tweet using the hashtag ‘#CyberSecMonth’ made its appearance. The hashtag, provided by the European Union Agency for Cyber Security(ENISA), has been used since 2012 to promote ‘Cybersecurity Month’ – which was introduced to spread awareness of the growing threats across the cyber landscape and encourage people to better protect themselves. And while European Cybersecurity Month (ECSM) itself has continued to be observed across the EU, it appears that engagement and involvement from UK businesses has waned in recent years.
This could be due to it being a by-product of Brexit: as the scheme was run by the EU, it makes sense that it would be something no longer observed after we left the union at the beginning of 2020. Or is it because the need for a dedicated month is less important now, as cybersecurity practices becomes engrained in every business, every day?
While the latter might be true, having a month in which to galvanise and reinforce awareness provides an opportunity for the cybersecurity industry – and all businesses – to refocus and realign with the current threat landscape.
Making the case for an annual event
As the country becomes increasingly digitalised and every business reliant on their network to operate, the threat landscape continues to grow and evolve. Attacks on the supply chain have increased exponentially over the past few years and show no signs of slowing since the pandemic. Research even suggests a 300% jump in this type of attack between 2020 and 2021.
And it’s not just new threats that businesses need to be aware of. Human error and social engineering attacks – from malware-laden emails to domain spoofing – continue to be the bane of many businesses when it comes to maintaining network resilience.
Indeed, according to the 2022 Cyber Security Breaches Survey, phishing accounted for 83% of attack vectors. This suggests the need to reinforce cyber hygiene advice and maintain employee vigilance should still be a high priority. We need to build a more secure human firewall, which requires more attention from every individual to reduce the risk.
Cyber awareness is a key part of our defence. However, in order to increase our ability to identify and protect against cyber threats, we need to encourage more conversations at both board and employee level, and further education on the subject. Awareness months provide a great way of bringing an agenda to the fore, to support ongoing efforts throughout the year.
Reinvigorating a much-needed month
The October awareness month isn’t just an EU initiative. The original concept came from America in 2004, with the first European Cybersecurity Month being held in 2012. In the 10 years since the first campaign, growth and support has increased across all metrics, indicating the success and buy-in to such an initiative. Notably, in the 2019 report the highest number of #CyberSecMonth mentions came from the UK, suggesting the appetite and engagement from UK businesses and individuals alike.
In 2022 the focus for the EU month is phishing and ransomware – both of which are highly prevalent and successful tactics deployed by cyber criminals across all business types. Taking the legal sector as an example, email phishing made up 83% of the reports received by the regulator (Solicitors Regulation Authority) when it came to cybercrime in 2021. When it comes to ransomware, attacks of this nature increased by 288% in 2021. These staggering figures in just one sector suggest there is a huge need for continued education, awareness and robust intrusion detection and prevention techniques.
Supporting cyber skills
As well as educating users, a dedicated month is a great way to enthuse and engage talent to enter the cybersecurity sector to bolster the fight against cybercrime. The need for skilled workers within the sector is only increasing as threat levels rise and evolve. Schemes such as CyberFirst, which aims to encourage and nurture cyber careers among talented young people, have been set up to support this demand.
A cyber awareness month is a positive and prominent way to extend the reach of such schemes, as well as directly promoting careers in cybersecurity, which will help to attract the talent needed and further strengthen the UK’s cyber resilience.
While a gradual move away from observing the EU Cybersecurity Month was inevitable, the objectives and value of a dedicated initiative cannot be underestimated. Is it feasible to establish an awareness month of our own in the UK? Although the focus of the last couple of years has been diverted towards getting through the pandemic and adjusting to the ‘new normal’, as businesses begin to re-establish other priorities, a renewed focus on cyber awareness needs to be among them.
Not only will it help to increase threat perception at an individual level, which is particularly important among the geopolitical uncertainty we are faced with, it will also help encourage talent in the cyber sector, in turn supporting the UK tech economy.