Bipartisan Legislation Would Establish Cybersecurity Literacy CampaignBipartisan Legislation Would Establish Cybersecurity Literacy Campaign

A bipartisan group of U.S. House members introduced legislation to establish a cybersecurity literacy and public awareness campaign.

The cybersecurity literacy bill comes amid the increasing onslaught of cyberattacks. These include headline-grabbing attacks on SolarWinds and Microsoft Exchange, and ransomware attacks such as Colonial Pipeline and JBS USA.

U.S. Rep. Adam Kinzinger of Illinois leads the cybersecurity literacy initiative. U.S. representatives of both parties from Florida, California, Texas and Pennsylvania are co-sponsoring the bill.

“As technological advancements increase and become more complex, it is critical that everyone is aware of the risks posed from cyberattacks and how to mitigate those risks for personal security,” Kinzinger said.

Preventing Successful Cyberattacks

The legislation would require the National Telecommunications and Information Administration (NTIA) to establish a cybersecurity literacy campaign. It would help promote understanding of how to stay safe online and prevent successful cyberattacks.

Moreover, it would include lessons on how to identify malicious phishing emails, the need to change passwords often and use multifactor authentication (MFA) on sensitive accounts.

I would also highlight cyber risks posed by the use of publicly available Wi-Fi hot spots, among other issues.

Veridium’s Rajiv Pimplaskar

Rajiv Pimplaskar is chief revenue officer at Veridium. He said education is “half the battle, and it’s great to see the NTIA launching a cyber literacy campaign.”

“One of the key topics of awareness needs to be acknowledging that a chain is as strong as the weakest link, and sparking a debate about balancing security with convenience and choice at the user level,” he said. “Educated users will be more willing and better prepared to move away from complex, unwieldy and easily abuse passwords, and choose new and better passwordless authentication methods instead.”

Authenticators like phone-as-a-token or FIDO2 security keys are more resistant to phishing attacks, Pimplaskar said.

Beyond the urgent necessity of improving security for individuals and organizations, heightened user awareness and demand can incentivize B2C and B2B companies to offer increased choices of such authenticators, which in turn reduce customer friction and improve productivity, he said.

Everyone is a Potential Vulnerability

Thycotic’s Joseph Carson

Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify.

“One of the biggest mistakes security professionals can make is to assume that other personnel and staff have the same understanding for good cyber hygiene as they do,” he said. “By assuming that everyone is a potential walking vulnerability, security teams can better implement proactive measures and educational programs to keep staff — especially those with privileged access credentials — aware of various security risks that can happen at any time.”

Password hygiene should always be part of employee training and cyber awareness training, Carson said.

“The average worker isn’t trained in cyber hygiene and best practices, making them easy prey for cybercriminals looking to access an organization’s networks quickly and easily via a phishing attack or clever social engineering,” he said. “By ensuring that employees at every level are given sufficient training about how to identify malware-laced emails and other rudimentary attempts at credential theft can be a major step to help reduce the success rate of an attack or at least raise an alert. And by normalizing training within the culture of the workplace, organizations can help maintain vigilance for these practices long term.”

Unsure of Impact on Ransomware Threat

Vectra’s Tim Wade

Tim Wade is technical director of Vectra‘s CTO team. He said increased awareness certainly has its place on the consumer side of the cybercrime equation. However, it isn’t clear how much that alone will “move the needle” with organizations faced with the threat of ransomware.

“All things being equal, behavior follows behavioral incentives,” he said. “So from an organizational standpoint, if the knowledge of how to act is part of the equation, accountability for failure to act may very well be the other.”

StrikeReady’s Anurag Gurtu

Anurag Gurtu is chief product officer at StrikeReady. He said it’s important to have a strong understanding of cybersecurity literacy to thwart cyberattacks. That includes using strong passwords and enlisting two-factor authentication (2FA).

“You can train users to recognize simple phishing attacks,” he said.

However, it’s harder to spot sophisticated attacks, Gurtu said.

“Despite that, there is no doubt that it is a positive step towards betterment,” he said. “Education always helps.”