This week marked the first week of the now annual ENISA cyber security month and as part of the agency for network and information security’s activities, awareness of citizens is key.
Speaking to IT Security Guru, head of core operations at ENISA Steve Purser, said that after the “pilot exercise” in 2012, he felt that the effort was going very well on its fourth day and after a lot of preparations and effort, there was a lot of potential to move forward.
He explained that it was a central idea to “keep the ball rolling in cyber security for a month, so the lengthy process allowed European nations time to achieve and allow them time to prepare and react.
Asked if he felt that more could be achieved in a month than a day or week-long campaign, Purser said he it was, and it wasn’t the case that every member stare has to do something, but it was about giving ENISA a month to set up things together so the attention of the general public is on cyber security so they can plan better and get more out of an awareness campaign.
“The reason is one day is rushed and to make the most out of it you need time, and the other key idea is we are trying to help industry and especially private industry to do something together, not alone, and spread the message across borders and communities to increase the possibility to pool resources, and the same goes for communities to get to get together and make the most of a common platform,” he said.
In terms of the materials provided, Purser that these are available via a website and coordination at member states, but he said it was not for ENISA to teach, but enable member states to bring people onboard with material.
He said: “This is not a marketing effort but a chance to work on principles and what needs to be done; we make it very clear that this is not a branding exercises and we teach the general public how to react in the cyber world.”
Participating are 26 countries, including 23 EU member states, and the early signs are that this will be a success. The idea was taken from the US cyber security awareness month and adapted to the EU, he said, and it was a learning process for them as much as businesses and citizens, and it was important to put the maximum effort into “doing”.
I asked him how the success of such an effort is measured, he pointed me to the 2012 report where a number of key recommendations on what happened were made, where recommendations were made on how to go forward. “This is how ENISA works
in general, closely with community, and one of biggest roles in Europe is to promote good practise and making sure we know what works and doesn’t,” he said.
“From 2012, from the data we gathered the conclusion was that it was a success. There was significant experience of participating countries, and commitments to change, some of the benefits includes national security, improving public opinion and the month also helps leveraging experience with other countries as it brings together positive gains,and that doesn’t usually happen with other campaigns.”
In terms of lessons learned, Purser said that one was to better understand the audience, including preparing materials in all of the major languages of Europe and being able to follow up after, and not only preparing high quality content of a high level, but increasing the number of private sector companies who are involved. “A high percent of business is owned, maintained and run by the private sector,” he said.
The report from 2012 determined that the first ever European Cyber Security Month was “a successful pilot project”, especially with the participating countries and their commitment to achieving long-lasting change in human behaviour and perception of risks. Among the successes were including national security events in a European initiative context, increasing the exposure at a European level and sharing experiences and information with the other countries and ENISA.
He concluded by saying that ENISA was trying to spread the net as far as possible, more at consumers and the general public at large, and he admitted that this was a very difficult group to reach and educate, but if it succeeds and helps business too than all the better. “It reaches very wide at every role they play and we want business to be secure; this is one of the few projects where target audience is citizen,” he said.
It is easy to be cynical about an awareness campaign, and I admit to being one of the cynics as I don’t often see anything apart from mild press coverage and those actions of the general public are unlikely to change overnight. However it takes some effort to involve every country in a continent and even if the main achievement is to get countries working together better, then this is a success.