Marketing dulls Cybersecurity Awareness Month's impact

Cybersecurity Awareness Month’s educational impact could be getting drowned out by companies cranking up their marketing volume.

The big picture: Every October, the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance host Cybersecurity Awareness Month to educate individuals about basic cyber hygiene practices and encourage security professionals to re-evaluate their organizations' cyber strategies.

• For the government, this month means social media campaigns and White House meetings, including one focused on ransomware and another on the security of Internet of Things devices.
• In the private sector, IT security teams launch awareness campaigns for their employees, and companies host events about the threat landscape.

But many cybersecurity vendors have overrun the month with sales pitches for their own products, making it difficult for government and nonprofit-run awareness campaigns to get traction.

• "It’s almost become a scenario where if you’re not doing messaging, you’re the one left out," says Brandon Pugh, policy counsel on the R Street Institute's cyber team. "If you’re not planning an event, you’re not writing an article on it, you’re not trying to sell a product around October, people are wondering why you’re not."

Several companies — including Norton and Trend Micro — published Cybersecurity Awareness Month blog posts on initiatives launching this month. However, many of them plugged their own products at the end.

• IT management software company Kaseya published a blog post right before the month started titled, "How to Win More Business During Cybersecurity Awareness Month."
• Multiple companies have also used social media to bring awareness to their products while mentioning the initiative.

Between the lines: Cybersecurity Awareness Month still has plenty of room to better cut through the noise, experts tell Axios.

• Oz Alashe, founder and CEO of CybSafe, tells Axios a lot of security professionals struggle to simplify their messages and get everyday people engaged in cyber — especially after years of vendors, IT staffs and others telling them to use tough passwords and not click on malicious links.
• One way companies can combat that fatigue is to focus on just three lessons they want to teach people during the month, says Lance Spitzner, director of the SANS Institute's security awareness team. "Try to make those three things as simple as possible," he says.

• Governments and organizations shouldn't be afraid to advance their education beyond the basics, Alashe adds, especially as more people become aware of tools like multifactor authentication and best password practices.

The intrigue: Despite the marketing noise, consultants who advise companies to establish their own cyber awareness and training programs say having a dedicated month-long campaign actually does help.

• Alashe says he's seen C-suite executives be more inclined to spearhead company cybersecurity initiatives in October.
• Pugh says that when he was on a local school board in New Jersey, the board often used Cybersecurity Awareness Month as a time to focus on its cybersecurity priorities.

Yes, but: Measuring Cybersecurity Awareness Month's effectiveness depends on who people say the campaign's target audience is.

• "What I can't work out is if people feel generally bombarded," Alashe says. "If you're not in the security space, maybe, actually, you're not paying attention as much as we are because it's not your everyday life."

Sign up for Axios’ cybersecurity newsletter Codebook here.