National Cyber Security Alliance Launches Program to Build a Strong Culture of Cybersecurity at Work
WASHINGTON, D.C. – In today’s rapidly evolving technological landscape, it’s critical for businesses and other organizations to be prepared for – and know how to respond to – cybersecurity incidents. Many organizations, however, have a lot of work to do when it comes to guarding against cyber threats. In MediaPro’s second annual State of Privacy and Security Awareness survey of employees and the general public, for the second consecutive year, the average respondent was rated a security “novice” after being quizzed about security and privacy best practices. In the Week 2 of National Cyber Security Awareness Month (NCSAM) – a far-reaching online safety awareness and education initiative co-founded and led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) – NCSA is encouraging every workplace to create a culture of cybersecurity from the break room to the boardroom.
To further the cyber readiness of the nation’s small and medium-sized businesses (SMBs), NCSA is announcing the launch of a new initiative, CyberSecure My Business. The project is a comprehensive, national program comprised of interactive training based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, webinars and web resources to help businesses be resistant to and resilient from cyberattacks. The first webinar takes place on Oct. 10 from 2 p.m. – 3 p. m. EDT and will address ransomware and phishing. Learn more and register for upcoming webinars.
“SMBs are critical to our economic and national security,” said Michael Kaiser, NCSA’s executive director. “NCSA is thrilled to introduce CyberSecure My Business to help organizations proactively protect their customers, employees and intellectual property – and by extension their reputations and success.”
As the program’s cornerstone, NCSA has translated the NIST Cybersecurity Framework into an introductory-level, in-person, highly interactive workshop. The workshop series – hosted in partnership with the Federal Trade Commission (FTC) with support from the Federal Bureau of Investigation and DHS in addition to occasional support from the Small Business Administration ‒ includes both in-person workshops and monthly webinars providing guidance on integrating cybersecurity practices. The sessions interpret the NIST Cybersecurity Framework into easy-to-understand language and incorporate content from federal and industry partners, including recent threat data.
”The NIST Cybersecurity Framework helps make cybersecurity immediately relevant to businesses by starting with a simple question for business owners and operators: What do you have to protect?” said Kaiser.
Take these steps outlined in the framework to better safeguard your organization against cyber threats:
- Identify: Conduct an inventory of your most valuable assets – the “crown jewels” of greatest importance to your business and of most value to criminals – such as employee, customer and payment data.
- Protect: Assess what protective measures you need in place to defend the organization as much as possible against a cyber incident.
- Detect:Have systems set up that would alert you if an incident occurs, including the ability for employees to report problems.
- Respond: Make and practice an incidence response plan to contain an attack and maintain business operations in the short term.
- Recover: Know what to do to return to normal business operations after an incident or breach, including assessing any legal obligations.
Check out the latest NCSAM infographic for simple cybersecurity tips your business can follow (download and share it on social media using the hashtag #CyberAware!).
Seventy percent of MediaPro’s survey respondents showed at least some lack of security and privacy awareness. The study had several other notable findings:
- 24 percent of employees surveyed took potentially risky actions when presented with scenarios related to organizational physical security, such as letting strangers in without identification.
- 20 percent of employees showed a lack of awareness related to safe social media posting, choosing risky actions such as posting on their personal social media accounts about a yet-to-be-released product of their employer.
- 19 percent of respondents chose to take risky actions related to working remotely, such as connecting their work computers to an unsecured public WiFi hotspot.
- 12 percent of respondents failed to recognize commons signs of malware when presented with real-life examples, such as a sluggish computer or anti-virus software unexpectedly switching off.
“In the past, organizations may have implemented security awareness activities merely for compliance or behavior change, but now people are looking at ways to go beyond just behavior and make security part of the culture,” said Lance Spitzner, director of SANS Security Awareness and a NCSA Board of Directors member. “Awareness programs are important because organizations are repeatedly seeing people as the primary targets for bad guys; cybersecurity is both a technical and human problem – and it requires a technical and human solution.”
As technology advances, our critical infrastructure is increasingly run on digital networks to maximize efficiency and effectiveness. NCSAM Week 2 is kicking off with “Insights on Cybersecurity for Electric Utilities,” an event hosted by the National Rural Electric Cooperative Association (NRECA) and supported by NCSA, DHS and the FTC. The event – taking place on Tuesday, Oct. 10 – will give members and others from the energy industry an opportunity to discuss their cybersecurity needs and issues and take part in an interactive cybersecurity workshop based on the NIST framework. The event will feature a keynote address by FTC Acting Chairman Maureen K. Ohlhausen and remarks from experts representing the NRECA, NCSA, DHS, the U.S. Department of Energy and more.
Top Business Concerns Include Ransomware, the Internet of Things and Bring Your Own Device (BYOD) Policies
As large-scale breaches continue to make headlines and businesses of all sizes fall victim to cyberattacks, organizations are more regularly thinking about the importance of cybersecurity. Ransomware – malware that accesses files, locks and encrypts them and then demands the victim to pay a ransom to get the files back – has been growing in prevalence and is a top concern for businesses, with threats such as WannaCry and the Petya attacks making the news in recent months. It’s important for organizations to know how to protect their critical customer, employee and intellectual property data so that they can be prepared in the event of a ransomware attack. Learn more about this threat and how to protect your organization against it here.
Another area of concern for businesses is the growing Internet of Things (IoT) – in which increasing numbers of devices, including wearables, TVs, cameras, speakers and vehicles – are connecting to the internet and collecting, managing and/or using personal data. Cybercriminals have used unsecured IoT devices to take down massive numbers of websites at once, and other threats like IoT “as-a-service” breaches and attacks on connected city systems make it important for organizations to know how to secure their connected devices and networks. Businesses must work to keep their devices safer and more secure over time and build cybersecurity into their processes just as they value physical safety regulations in the workplace.
A third cybersecurity concern more and more businesses are facing is maintaining security in a BYOD workplace. Now more than ever, employees are using their personal smart devices – such as PCs and smartphones – for work purposes, which grows the potential number of vulnerabilities and makes cybersecurity in the workplace more complicated. It’s important for organizations to consider where sensitive company, customer and/or employee data is being accessed, and implement awareness and education activities, plans and policies to encourage security best practices regardless of the device being used.
Be a Part of Something Big: Become a NCSAM Champion
One way you and/or your organization can participate in NCSAM is by becoming a NCSAM Champion. Champions represent those dedicated to promoting a safer, more secure and more trusted internet. Becoming a Champion is easy and does not require any financial support. There are already more than 870 organizations and nearly 320 individuals signed up to support the month. Champions receive a toolkit of online safety awareness and education materials they can use to support the month and updates leading up to and throughout October on resources, upcoming events and ways to get involved.
Upcoming NCSAM Events
NCSA and partners will host a number of events across the country up to and throughout NCSAM. Noteworthy upcoming events and initiatives include:
- Insights on Cybersecurity for Electric Utilities, Tuesday, Oct. 10, 8:30-9:45 a.m. (EDT), National Rural Electric Cooperative Association (NRECA), 4301 Wilson Boulevard, Arlington, VA: This event – hosted by the NRECA in collaboration with NCSA and DHS – will highlight expert remarks on what is being done in cybersecurity by the electric sector to help ensure affordable, reliable and resilient electricity for the nation. The event will be livestreamed to the public here.
- CyberSecure My Business Webinar – Let’s Talk About Ransomware and Phishing, Tuesday, Oct. 10, 2:00-3:00 p.m. EDT/11:00 a.m. – 12:00 p.m. PDT, Virtual/Online: Ransomware and phishing are on the minds of businesses owners from small to large companies. NCSA has brought together public and private-sector experts to help small and medium-sized businesses and nonprofits better understand how to combat these common attacks. Thank you to our Contributing Sponsor, MediaPro, and government partners the Federal Trade Commission and the National Institute of Standards and Technology!
- #SBAchat – Cybersecurity Tips for Small Businesses, Tuesday, Oct. 10, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT, Virtual/Online: Join the U.S. Small Business Administration (@SBAgov) for a Twitter chat in honor of National Cyber Security Awareness Month. This chat will discuss how your organization can strengthen its cybersecurity. Use #SBAchat to join!
- #ChatSTC Twitter Chat: Cybersecurity in the Workplace Is Everyone’s Business, Thursday, Oct. 12, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT, Virtual/Online: Whatever your place of business, creating a culture of cybersecurity is an essential shared responsibility among leadership and all employees. Every organization needs a plan for employee education, training and awareness that emphasizes risk management, resistance and resilience. This Twitter chat will showcase how all businesses can protect themselves, their employees and their customers against the most common cyber threats and strengthen their cyber resilience. Use #ChatSTC to join!
- Future of Authentication Policy Forum, Friday, Oct. 13, 10:00 a.m. – 2:30 p.m. (EDT), Civiletti Conference Center – Venable LLP, 600 Massachusetts Avenue NW, Washington, D.C.: The FIDO Alliance, NCSA and the Electronic Transactions Association are pleased to host this Future of Authentication Policy Forum to discuss the critical importance of strong, multi-factor authentication.
- Free Computer Workshop – How to Protect Yourself From Ransomware, Saturday, Oct. 14, 11:00 a.m. – 12:30 p.m. (EDT), 184 Phelps Street, Painesville, OH: TERKK’s Computer Services LLC has partnered with Morley Library to offer a free community workshop to enhance your technical skills.
- DC CyberWeek, Monday, Oct. 16 – Friday, Oct. 20, Washington, D.C. (multiple locations): DC CyberWeek is a weeklong SXSW-style festival in our nation’s capital bringing together leaders, experts and decision makers from the government and tech communities. The festival features dozens of community events complemented by core conferences and parties created by the festival organizer, CyberScoop. DC CyberWeek is about big ideas and coming together to make an impact on the greater good of our connected world.
- Cyber Security & Technology Conference, Wednesday, Oct. 18, 9:00 a.m. – 5:00 p.m. (EDT), 903 Manchester Street, Suite 190, Lexington, KY: Business leaders, professionals and thought leaders will convene in Lexington for a one-day interactive conference hosted by Integrity IT. The event will explore the latest in the field of information technology and the newest cyber crime prevention methods. Through presentations, discussions and technology spotlights, you will develop and build long-term actionable strategies designed to help improve your security posture. You will leave with solutions to implement the very next day.
- Cyber Security Chicago, Wednesday, Oct. 18 – Thursday, Oct. 19, 2301 S. King Drive, Chicago, IL: Cyber Security Chicago offers invaluable security insight for both IT managers and security decision makers. Hear from industry experts about how you can build stronger defenses against cyber attacks and how to recover if your systems are breached.
- SecureWorld Dallas, Wednesday, Oct. 18 – Thursday, Oct. 19, 2000 East Spring Creek Parkway, Plano, TX: Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Attend featured keynote presentations, panel discussions and breakout sessions – all while networking with local peers. Earn 6-12 CPE credits through educational elements, learning from nationally recognized industry leaders. Visit the expo hall and discover the latest technologies from security solutions providers. Use a NCSA promo code at registration to get a discount on your pass.
- #ChatSTC Twitter Chat: Today’s Predictions for Tomorrow’s Internet, Thursday, Oct. 19, 3:00 – 4:00 p.m. EDT/12:00-1:00 p.m. PDT, Virtual/Online: Smart cities, connected healthcare devices, digitized records and smart cars and homes have become our new reality. Always-on technology, while it makes our lives more convenient and unlocks potential for the future, is fueled by our personal information, which presents security and privacy concerns for both consumers and businesses. This Twitter chat – coinciding with Week 3 of National Cyber Security Awareness Month – will highlight the growing Internet of Things and discuss how to use cutting-edge technology in safer and more secure ways. Use #ChatSTC to join!
- Higher Ed Cyber Security Challenge Presented by Symantec, Thursday, Oct. 19 – Friday, Oct. 20, Virtual: Does your school have the best cybersecurity team in higher education? Register your cyber team to compete in Symantec’s first-ever nationwide Higher Ed Cyber Security Competition. The competition will help higher education cybersecurity leaders understand the vulnerabilities of today’s global threat landscape, gain critical security intelligence and put their skills to the test in a high-pressure environment.
- Can the Internet of Insecure Things Be Saved? Thursday, Oct. 19, 1:00- 2:00 p.m. (EDT) Adoption of enterprise IoT is accelerating quickly from manufacturing to transportation and utilities to healthcare as it provides a plethora of insight to strengthen machine learning and help humans do their jobs better and more efficiently. However, the innovation and proliferation of connected devices provides expanded vulnerabilities and a lucrative market for cybercriminals. What are these vulnerabilities and what big idea solutions are in the works to address these IoT threats? Hosted by RSAC and NCSA, experts will debate these issues and more during a webcast in honor of National Cyber Security Awareness Month.
- Free Computer Workshop – Six Steps to Better Security, Saturday, Oct. 21, 11:00 a.m. – 12:30 p.m. (EDT), 184 Phelps Street, Painesville, OH: TERKK’s Computer Services LLC, has partnered with Morley Library to offer a free community workshop to enhance your technical skills.
- SecureWorld Cincinnati, Tuesday, Oct. 24, 8:00 a.m. – 3:45 p.m. (EDT), 11355 Chester Road, Cincinnati, OH: Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Attend featured keynote presentations, panel discussions and breakout sessions – all while networking with local peers. Earn 6-12 CPE credits through educational elements, learning from nationally recognized industry leaders. Visit the expo hall and discover the latest technologies from security solutions providers. Use a NCSA promo code at registration to get a discount on your pass.
- CyberNextDC: Privacy. Partnerships. Protection. Wednesday, Oct. 25, 7:30 a.m. – 6:00 p.m. (EDT), 600 Massachusetts Avenue NW, 9th Floor, Washington, D.C.: In honor of NCSAM, the Coalition for Cybersecurity Policy & Law, the Cyber Threat Alliance and The National Security Institute at the George Mason University Antonin Scalia School of Law will host this inaugural policy day in Washington. This daylong event will feature prominent members of the cybersecurity community as well as congressional and administration leadership who are actively engaged in cybersecurity policy issues. The event will also feature top policymakers, leading industry practitioners and other experts discussing the current state of cybersecurity, fostering critical discussions among participants and identifying forward thinking approaches to improve cybersecurity.
Learn more about upcoming NCSAM events (and submit your own events to NCSA’s events calendar) at staysafeonline.org.
Helpful Resources from NCSA and Partners
- CyberSecure My Business
- NCSA and NACD Tip Sheet: Communicating with the Board about Cybersecurity – Making the Business Case
- NCSAM Infographic – Cybersecurity in the Workplace Is Everyone’s Business
- Ransomware Facts & Tips
- DHS’ Stop.Think.Connect. Toolkit: The Stop.Think.Connect. Toolkit provides numerous materials on how small businesses and industry can protect themselves from cyber attacks. These include tip cards for phishing, insider threats, identity theft and internet scams.
- DHS’ Critical Infrastructure Cyber Community Voluntary Program (C3VP): C3VP encourages use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage cyber risks and strengthen critical infrastructure cybersecurity through resources like the Small and Mid-Sized Businesses toolkit.
- DHS’ Federal Virtual Training Environment or FedVTE is a free, online, on-demand cybersecurity training system for federal, state, local, tribal and territorial government personnel. The FedVTE Training Catalog consists of various cybersecurity courses, ranging from beginner to expert. Share this information with any government employees or veterans you know!
- The National Initiative for Cyber Careers & Studies (NICCS): NICCS was created by DHS as a key public resource for cybersecurity careers and training. The Training Catalog contains over 3,000 courses with more being added every day! Additionally, the NICCS website includes key resources for employers looking to build out their cybersecurity teams and job seekers pursuing positions within cybersecurity. These include The National Cybersecurity Workforce Framework and The Cybersecurity Workforce Development Toolkit.
- The Better Business Bureau found that only half of small businesses could remain profitable for even two months if they lost essential data. This is a significant finding in the 2017 “State of Cybersecurity Among Small Businesses in North America” report that will be released on Thursday. The full report focuses on the effectiveness of cybersecurity best practices, standards, and frameworks. It also addresses how to make cost effective cybersecurity investment decisions. To receive a copy of the report when it is released, send an email to [email protected].
- ESET’s Security Awareness Training: ESET’s Cybersecurity Awareness Training is a free on-demand training program that allows businesses to get their employees the cyber-smarts they need, while also meeting compliance. This training is a must for SMB’s that want to make sure their employees become more cyber aware, and are equipped with the knowledge to defend your network.
- Start With Security: A Guide for Business: The FTC’s 50+ data security settlements offer guidance for businesses on how to keep sensitive information safer. “Start with Security” synthesizes those cases into 10 practical lessons adaptable to companies of any size and in any sector.
- Protecting Personal Information: A Guide for Business: Most companies keep sensitive personal information in their files. If this information falls into the wrong hands, it can lead to fraud or identity theft. The principles in this brochure can help a business keep data secure.
- Data Breach Response: A Guide for Business: You just learned that your business experienced a data breach. Find out what steps to take and who to contact if personal information is exposed.
- Logical Operations
- CyberSAFE Readiness Test: End-users play a critical role in protecting their organization’s data, but they are often the weakest link in the security chain due to lack of awareness of potential threats. The CyberSAFE Readiness Test is a complimentary tool that can be used to measure the extent to which employees can recognize and avoid common cyber threats like phishing, malware and non-secure websites.
- CFR Readiness Test: Comprised of 20 questions, the CyberSec First Responder (exam CFR-210) Readiness Assessment is a complimentary tool to help you evaluate your current level of expertise as a cybersecurity professional, and give you a sense of the skills and knowledge you’ll acquire from the CyberSec First Responder (exam CFR-210) training.
- MediaPro NCSAM 2017 Toolkits: Once per week in October, MediaPro will send those who opt in a free bundle of security awareness resources aligned with NCSAM weekly themes. Each toolkit includes an assortment of employee-facing educational resources and security program management content to help you create a risk-aware workforce.
- Microsoft Store Events: Cybersecurity attacks are on the rise and Microsoft Store is committed to supporting all consumers, small businesses and entrepreneurs to understand how to stay safe from cyberattacks. Protect yourself or your small business by taking advantage of special events, workshops and resources at your local Microsoft Store and Microsoft.com during National Cyber Security Awareness Month, including:
- Office Hours for Business, partner-led presentations and a new “Cybersecurity for your Business” workshop where you can learn about common security risks and how to stay safe with Microsoft products and services.
- New cybersecurity risk assessment tool to help assess cyberthreats, estimate potential costs and learn about countermeasures for each risk.
All month long, you can follow the NCSAM conversation on social media using the hashtag #CyberAware (and tag your own posts with #CyberAware, too!). Additionally, @STOPTHNKCONNECT will host weekly Twitter chats in support of NCSAM to discuss different topics and trends in cybersecurity. Tune in for hour-long chats Oct. 12, 19 and 26 and Nov. 1 at 3 p.m. EDT/noon PDT; visit the STOP. THINK. CONNECT.™ website for the full chat schedule. NCSA has created sample social media posts, infographics, posters, memes and more that you can download and share, and that encourages organizations and individuals to show their support for NCSAM and get the latest resources by registering as NCSAM Champions. Finally, check out the Stay Safe Online blog for NCSAM posts from NCSA and partners during the month of October.
About National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. Now in its 14th year, NCSAM was co-founded and is co-led by the Department of Homeland Security and the National Cyber Security Alliance, the nation’s leading nonprofit public-private partnership promoting the safe and secure use of the internet and digital privacy. Recognized annually in October, NCSAM involves the participation of a multitude of industry leaders ‒ mobilizing individuals, small and medium-sized businesses, nonprofits, academia, multinational corporations and governments. Encouraging digital citizens around the globe to STOP. THINK. CONNECT.™, NCSAM is harnessing the collective impact of its programs and resources to increase awareness about today’s ever-evolving cybersecurity landscape. Visit the NCSA media room for more information and resources.
About the National Cyber Security Alliance
The National Cyber Security Alliance (NCSA) is the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the U.S. Department of Homeland Security (DHS) and NCSA’s Board of Directors, which includes representatives from ADP; Aetna; AT&T Services Inc.; Bank of America; Barclays; CDK Global, LLC; Cisco; Comcast Corporation; ESET North America; Google; Facebook; LifeLock, Inc.; Logical Operations; NXP Semiconductors; RSA, the Security Division of EMC; Symantec Corporation; Intel Corporation; MasterCard; Microsoft Corporation; PayPal; Raytheon; PKWARE; Salesforce; SANS Security Awareness; TeleSign; Visa and Wells Fargo. NCSA’s core efforts include National Cyber Security Awareness Month (October); Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti Phishing Working Group, with federal government leadership from DHS. For more information on NCSA, please visit staysafeonline.org/about-us/overview/.
About STOP. THINK. CONNECT.™
STOP. THINK. CONNECT.™ is the global cybersecurity education and awareness campaign. The campaign was created by an unprecedented coalition of private companies, nonprofits and government organizations with leadership provided by NCSA and the Anti-Phishing Working Group. DHS leads the federal engagement in the campaign. Learn how to get involved at stopthinkconnect.org.