Blog
← Back to Blog
October 05, 2018 cybersecurity

Cybersecurity Awareness Month 2018: Three Years In, What's Changed

Cybersecurity awareness campaign Cybersecurity awareness and training

Three Cybersecurity Awareness Months ago, we published our first blog post. In that time, we've covered WannaCry, NotPetya, Equifax, Cambridge Analytica, Meltdown/Spectre, GDPR, and dozens of smaller incidents. The threat landscape has transformed. But so has awareness.

What's Improved

Security Consciousness

In 2015, trying to convince a practice owner to invest in security was like selling umbrella insurance. "We're too small to be targeted." Today, that conversation has flipped. WannaCry and NotPetya made it impossible to deny that the threats are real and indiscriminate. Small practices now understand they're at risk.

Two-Factor Authentication Adoption

Three years ago, 2FA was something only tech-savvy people used. Today, it's standard on most major services. Google, Microsoft, Apple, Amazon, and most dental software vendors offer 2FA. Adoption is growing. It's not universal yet, but the infrastructure exists and the momentum is real.

Backup Awareness

Ransomware made backups a household word (if "household" means dental and medical practices). Everybody understands backups are critical. The challenge now is implementing them properly, not convincing people they're necessary.

Privacy Consciousness

GDPR and Cambridge Analytica put data privacy in the spotlight. Regulators are responding. US states are drafting privacy legislation. Patients and employees are asking questions about their data. Privacy went from a niche compliance issue to a mainstream concern.

What's Still Broken

Patch Management

After three years and multiple "the attack exploited an unpatched vulnerability" incidents, patching is still inadequate in most small organizations. The patches exist. They're available. They're free. And yet, organizations still run systems with known vulnerabilities. Some out of neglect, some out of fear that patches will break systems, some out of simple inertia.

Password Reuse

The LinkedIn breach was three years ago. Credential stuffing attacks have been constant. And yet, password reuse remains rampant. A password manager costs $20-50 per year and would solve this. Most practices still don't use one.

Incident Response Planning

We've written extensively about incident response plans. Most practices still don't have one. When something goes wrong, they improvise. Improvisation during a crisis leads to poor decisions and worse outcomes.

Shared Passwords

Three years of writing about the problems with shared credentials. Yet many practices still have one password that "everyone uses" for shared accounts. It's the path of least resistance, and resistance is hard.

The Three-Year Scorecard

Progress made:

  • Security awareness up dramatically
  • Backup solutions widely available and more affordable
  • Two-factor authentication support nearly universal
  • Privacy regulation advancing

Stubborn problems:

  • Patch management still inconsistent
  • Password security practices unchanged
  • Incident response planning rare
  • Change management difficult

Year Four

The big security trends heading into 2019: cloud migration accelerating, artificial intelligence being weaponized, supply chain attacks becoming more common, and healthcare remaining a top target. We'll keep writing about it.

Happy Cybersecurity Awareness Month. Here's to year four.