Cybersecurity Awareness Month needs a radical overhaul – it needs legislation. Despite the benefits of awareness campaigns, they alone are not enough to encourage widespread adoption of cybersecurity best practices. As we enter October, governments, non-profit organizations, cybersecurity vendors, and companies with corporate social responsibility teams are gearing up to push out useful tips on staying safe online. However, the usual advice – such as using strong and unique passwords, enabling multi-factor authentication (MFA), and avoiding phishing links – may not be enough to drive meaningful behavioral change and address the growing security risks of today and tomorrow.
After a decade of promoting the same guidance, it’s time for the industry to rethink its approach. The conversation around cybersecurity should evolve beyond just lecturing about basic security practices like strong passwords and MFA. The spotlight should shift to real cybersecurity issues, such as rampant scams duping people out of their hard-earned cash. This shift in focus could be facilitated by legislation that enforces better cybersecurity practices, especially where personally identifiable information (PII) or other valuable data is at stake.
For instance, requiring all companies storing PII to enable MFA on all user accounts by default could significantly mitigate the risks associated with password recycling. While there may be accessibility concerns with MFA enabled by default, it should be the norm for most users. Companies like Apple, which forced MFA for all users in 2017, have shown that this approach does not lead to a loss of users or a decline in share price.
The emphasis on strong and unique passwords will decrease as the added layer of MFA greatly helps prevent credential theft. The persistence of credential theft as a major issue for so long necessitates a rethink. Effective precedents for this include the General Data Protection Regulation (GDPR), which changed the dynamic by imposing hefty regulatory fines that justify the budget for proper data security measures.
Imagine Cybersecurity Awareness Month next year without the lecturing about basic security practices. The conversation could finally evolve to address real cybersecurity issues. To all policy-makers out there, it’s time to shift this conversation and legislate on what the industry has failed to implement so that crucial education on real cybersecurity issues can become the headline.
In summary, while awareness campaigns have their benefits, they are not enough to create a safe and secure cyberspace. It’s time for a radical rethink and legislation to enforce better cybersecurity practices, ensuring that the crucial education on real cybersecurity issues takes center stage.
Be the first to comment