Digital Safety
While awareness campaigns have their benefits, they typically aren’t enough to drive broad adoption of robust cybersecurity habits.
As the month of October approaches, governments, non-profit organizations, cybersecurity providers, and numerous companies with corporate social responsibility initiatives are likely preparing to roll out valuable guidelines for maintaining online security. Without hesitation, I instinctively offered my colleague a tried-and-true suggestion last week: employ multi-factor authentication (MFA) and implement robust security measures – and fortunately, I managed to recall almost all the essential details of this year’s designated “Protect Our World” theme.
Given the sheer volume of well-meaning guidance disseminated annually in October, one might reasonably assume that this collective effort would suffice to cultivate a secure and safeguarded online environment. However is it, actually? Have this recommendation been effectively driving substantial behavioral shifts and addressing the growing safety concerns of today and tomorrow with measurable impact? Perhaps it’s high time to reexamine our current approach – acknowledging candidly that mere suggestion is insufficient in alleviating this issue.
Past suggestions and methods
After two decades of selling the same old script, Cybersecurity Awareness Month is set to mark its 22nd anniversary.st On the occasion of our anniversary this year, it’s imperative that the industry undergoes a thorough reassessment of its cybersecurity posture, accompanied by proactive legislation and implementation of robust safeguards, particularly when sensitive data such as personally identifiable information (PII) or other valuable knowledge is involved. While I’m not always enthusiastic about updating laws and regulations, the reality is that we’re not witnessing the progress we need at our current pace. While some popular online services offer multifactor authentication (MFA), many still do not, and even those that do often fail to enable it by default. If all organizations storing sensitive personal information (PII) make multifactor authentication (MFA) mandatory for every user account, subsequent years’ Cybersecurity Awareness Month may well render the topic obsolete.
Granted, there may also exist accessibility concerns surrounding MFA being enabled by default; thus, it is essential that individuals who wish to opt-out are afforded the capability to do so freely. Regardless of the remaining group size, it is crucial that Multi-Factor Authentication (MFA) be enabled by default as the industry standard best practice. As many websites currently default to virtually hiding the option to enable multifactor authentication, they should also provide an equal opportunity for users to opt-out of this feature.
In 2017, Apple led the charge among numerous pioneering companies by mandating Multi-Factor Authentication (MFA) for all its customers. Did they lose customers? Was there a decline in the company’s stock price? Indeed, the solutions are no. When faced with uncertainty, customers are more likely to adopt a heightened sense of caution, ensuring the security of both their data and possessions. By making options readily available and setting defaults to off, individuals are more likely to opt for the path that prioritizes convenience over risk, even if this means potentially sacrificing their well-being.
One significant benefit of enabling multi-factor authentication (MFA) by default is that it can significantly reduce the risks associated with password reuse, as a reused password bolstered by MFA poses far fewer security threats. While acknowledging the importance of password best practices doesn’t condone the use of weak or reused passwords. As an alternative solution, I suggest that a stronger focus on robust and unique passwords might wane, since the supplementary layer of multi-factor authentication (MFA) will significantly mitigate the risk of credential theft?
As a persistent and pervasive threat, credential theft demands a comprehensive reevaluation of our security strategies. Efficient precedents have already been established; a prime example is the General Data Protection Regulation (GDPR), showcasing its effectiveness. Without sufficient regulation, the European Union (EU) anticipated that companies would naturally follow the path of minimal effort: accumulating data without encryption, resulting in a largely unregulated approach to data security. Maintaining data secure is a costly endeavour, leading cautious Chief Financial Officers to value short-term gains over long-term security? Despite the transformative impact of GDPR, the prospect of substantial regulatory penalties has made a compelling business case for investing in robust knowledge security practices.
Laws to the rescue
Here is the revised text in a different style:
Let’s envision Cybersecurity Awareness Month next year as an opportunity to ignite a movement, not just reiterate the importance of robust passwords and multi-factor authentication. After years of relentless focus on these fundamental factors, the dialogue may finally begin to evolve. The spotlight may focus on pervasive scams deceiving people out of their well-deserved funds. While a few things are aligned immediately, many others often become lost in the process.
To policymakers: it is imperative to redirect the conversation, implementing legislation that addresses the industry’s long-standing shortcomings and prioritizes essential training on cutting-edge cybersecurity topics, catapulting them to the forefront of national discourse.
