October is a popular month for spreading awareness.
The list of things we’re asked to train our attentions upon in the first full month of fall include the serious (AIDS, breast cancer, domestic violence) the semi-serious (dental hygiene, vegetarianism) and the silly (squirrels).
That’s right – October is Squirrel Awareness Month, at least in the US.
Also crammed into the awareness roster for October is cyber security. This year’s Cyber Security Awareness Month marks the 11th time government security agencies have designated this time of the year to shine a spotlight on what the US Department of Homeland Security (DHS) calls “one of our country’s most important national security priorities.”
This year’s observance, sponsored by the DHS in conjunction with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, includes a full slate of activities focused on topics including securing IT products, critical infrastructure and the Internet of Things, cyber security for small businesses and cyber crimes and law enforcement.
Europeans have been conducting a cybersecurity Oktoberfest of their own for nearly as long as the US.
But of all the October awareness observances, it’s pretty safe to assume that cyber security is the only one accompanied by a presidential proclamation, which seems to lend a high degree of heft and urgency to the topic.
Given what seems to be a recent spike in cyber attacks, how effective is this campaign? And how aware of cyber security threats and vulnerabilities are businesses – in the US and around the world? When the calendar flips to November, can we count on knowing more about digital security risks than we did in October, or more about the feeding habits of a furry woodland creature?
I know I’m being unfair. The government and many private-sector groups have actually been next to vigilant in spreading the word about the dangers and repercussions – financial, physical and reputational – of cyber attacks, even calling on corporate directors to take on greater oversight of cyber security risks. Here’s a transcript of a June address on cyber security awareness to the New York Stock Exchange delivered by Security and Exchange Commissioner Luis A. Aguilar.
The US government is also backing up its talk with money. 2014 cyber security spending significantly expanded, even doubled in some cases, compared to 2013, according to this InformationWeek column.
Message Not Received
But is the private sector getting the message?
The answer to that question, like most, depends on who you ask.
At the top of the corporate food chain, the level of cyber security awareness and activity appears to be high. Not surprisingly, JP Morgan Chase, which has been a target of recent cyber attacks, according to public accounts, has pledged to spend lavishly on digital defenses.
The company’s 2013 annual report includes an update from President, CEO and Chairman Jamie Dimon emphasizing the company’s commitment to digital security, including the construction of three “state-of-the-art Cybersecurity Operations Centers” and plans to allocate more than $250 million annually to cyber security by the end of 2014.
But what about more mainstream businesses? Are threats of major operational disruptions, customer lawsuits and business-crippling reputational damages gaining the attention of these CEOs or CFOs?
Not according to recent released research from PWC. The 2014 survey of more than 9,700 security, IT and business executives from 154 countries revealed that on average 2014 information security budgets were 4% smaller than 2013 budgets.
Ironically, the same report validates what most observers of the torrent of cyber crimes over the past year suspect: the rate of cyber attacks are growing – substantially.
According to the survey, “the total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013.”
It might be unfair to blame the messenger if businesses and the general public aren’t taking cyber threats more seriously. However, you don’t have to look far to find a compelling example of how a novel approach can shatter years of relative apathy.
New Approach Needed
Amyotrophic lateral sclerosis, or ALS, has been in the public consciousness since the late 1930s, when Lou Gehrig, the neurodegenerative disorder’s namesake, was diagnosed with the disease. Since then, ALS has shortened thousands of lives, including my father-in-law’s, in an unimaginably cruel fashion.
But thanks to Anthony Senerchia and his family’s ingenious exploitation of social media, awareness of ALS and its ravages has skyrocketed. In addition to coaxing thousands into make-shift showers this summer, the ALS Ice Bucket Challenge generated more than $100 million in donations, as of the end of August, compared to the $2.8 million the ALS Association collected the previous year.
Cyber Security Awareness Month and other effort to bring attention to a ticking time bomb are a good start. But based on the latest assessments, it’s going to take a little more work and ingenuity to deliver the icy-water-in-the-face jolt of awareness that much of the corporate world apparently still requires.