Bipartisan House lawmakers introduced legislation to increase cybersecurity literacy and security awareness among the American public amid a spike in cybersecurity threats against critical infrastructure. 

Specifically, the legislation would require the National Telecommunications and Information Administration (NTIA) to establish a cybersecurity literacy campaign to increase knowledge and awareness of cybersecurity risks among the American public, including best practices for preventing cyberattacks.

John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, says, "Awareness is important and increasing the literacy of everyday users is crucial. That being said, the core problem is multi-billion dollar tech companies are creating technologies they foist on society (often as near-monopolies) and then outsource all the risks of the use of their technologies onto society at large, many of whom will never have the literacy or resources to protect themselves. A few billboards from the Ad Council isn’t going to fix this problem."

Representative Adam Kinzinger (IL-16), Gus Bilirakis (R-FL), Anna Eshoo (D-CA), Marc Veasey (D-TX), and Chrissy Houlahan (D-PA) cite recent cyberattacks, such as the Colonial Pipeline ransomware attack, that have disrupted business and threatened national security. 

The campaign would identify the critical areas of an IT system that present cybersecurity risks and educate American people on how to prevent and mitigate such attacks by:

  • instructing American people on how to identify phishing emails; and secure websites;
  •  instructing American people on the need to change default passwords on hardware and software technology;
  • encouraging the use of cybersecurity tools, including multi-factor authentication; complex passwords; firewalls; and anti-virus software.  
  • identifying the devices that could pose possible cybersecurity risks, including: personal computers; smartphones; tablets; Wi-Fi routers; and smart home appliances:
  • encouraging Americans to: regularly review mobile application permissions; decline privilege requests from mobile applications that are unnecessary; download applications only from trusted vendors or sources; and connect internet of things or devices to a separate and dedicated network; and
  • identifying the potential cybersecurity risks of using publicly-available Wi-Fi networks and the methods a user may utilize to limit such risks; and
  • direct American people and businesses to federal resources to help mitigate cybersecurity risks

The question is, however, will this truly help organizations keep cyberattacks at bay, particularly those caused by employees? 

"Increased awareness certainly has its place on the consumer side of the cybercrime equation, but it isn’t clear how much that alone will move the needle with organizations faced with the threat of ransomware. All things being equal, behavior follows behavioral incentives – so from an organizational standpoint, if the knowledge of how to act is part of the equation, accountability for failure to act may very well be the other," says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company.

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions, explains that one of the biggest mistakes security professionals can make is to assume that other personnel and staff have the same understanding for good cyber hygiene as they do. "By assuming that everybody is a possible walking vulnerability, security teams can better implement proactive measures and educational programs to keep staff, especially those with privileged access credentials, aware of various security risks that can happen at any time."

Password hygiene must be an integral part of employee training and cyber awareness training, Carson adds. "The average worker isn’t trained in cyber hygiene and best practices, making them easy prey for cybercriminals looking to access an organization's networks quickly and easily via a phishing attack or social engineering. By ensuring that employees at every level are given sufficient training about how to identify malware-laced emails and other basic attempts at credential theft can be a major step to help lessen the success rate of an attack or at least raise an alert. By normalizing training within the culture of the workplace, organizations can help maintain vigilance for these practices in the long term."