Cybersecurity Awareness Month needs a radical overhaul – it needs legislation

As Cybersecurity Awareness Month arrives in October, various stakeholders, including governments and corporations, prepare to share online safety tips. While traditional advice emphasizes practices such as strong passwords, multi-factor authentication (MFA), and avoiding phishing attempts, the effectiveness of these campaigns in fostering substantial behavioral change remains questionable. Despite consistent messaging over the last two decades, the growing complexities of cybersecurity risks necessitate a critical reassessment of current strategies.

The article posits that simply disseminating guidance is insufficient. It advocates for a paradigm shift wherein the cybersecurity sector must consider legislative measures to enforce better practices, particularly concerning the protection of personally identifiable information (PII). This perspective diverges from the typical reluctance to solve issues through legislation, asserting that without regulatory intervention, progress in improving cybersecurity practices will stagnate.

A key focus is on the adoption of MFA. The piece argues that many popular online platforms still do not offer MFA or fail to implement it as the default option, which enhances security. While concerns about accessibility are acknowledged, the author contends that the norm should be for MFA to be enabled by default, limiting user options to disable it only for legitimate needs. The assertion is that presenting users with obligatory security practices, similar to Apple’s 2017 decision to enforce MFA, can facilitate greater adoption without negative consequences for businesses.

Moreover, the article emphasizes that enabling MFA universally would diminish risks associated with poor password practices. By reducing the emphasis on the necessity of unique passwords, the additional layer of security provided by MFA would guard against credential theft, which has plagued the digital landscape for years. The author draws parallels to the General Data Protection Regulation (GDPR), illustrating how stringent regulations have necessitated improved practices among companies by making the cost of non-compliance a significant deterrent.

The possibility of Cybersecurity Awareness Month evolving from its current focus on basic security tips to addressing more advanced issues, such as elaborate scams, is proposed. The article envisions a future conversation that prioritizes broader cybersecurity concerns over rote advice, thereby making room for critical discussions about real threats.

Ultimately, the author calls for policymakers to initiate legislative changes in the cybersecurity industry, aiming to enhance consumer protection and shift focus towards educating the public on pressing security issues. The assertion is clear: awareness campaigns must evolve beyond mere advice, integrating regulatory measures to effectively combat the increasingly sophisticated landscape of cyber threats.