Make Cybersecurity Awareness a Daily Habit—Not Just an October Initiative
Small, medium, and large organizations across all sectors and industries need to educate their staff, contractors, and vendors (i.e., the workforce) on cybersecurity best practices. This article focuses on practical tips and best practices for your organization, whether it’s during Cybersecurity Awareness Month in October or beyond. Everyone with trusted physical or virtual access needs to have a robust knowledge base of cybersecurity best practices so that they can incorporate these into their roles.
READ MORE: 10 Cybersecurity Training Tips for Security Awareness Month 2025
Security Awareness Tips for the Workforce
1. Invest in multi-factor authentication (MFA)
Phishing-resistant MFA or robust password-less authentication (FIDO2) should be implemented and used whenever possible. MFA significantly reduces the risk of unauthorized access. Organizations should make certain to enable phishing-resistant MFA (or a robust equivalent) across accounts. If the account does not use or support phishing-resistant MFA or a robust equivalent, then a complex, unique, long, and strong password should be used (assuming that the password can be changed and it is not hardcoded). Not all MFA is equally robust. MFA is only as strong as the factors that are used. SMS, voice calls, and one-time passwords are weaker factors.
2. Protect sensitive information and encrypt data and files
Be sure to inventory the various types of sensitive information your organization has, where it is, who has access to it, where it flows, and where it goes. Sensitive information can include personal data, personally identifiable information (PII), intellectual property, confidential information, and other types of information that the organization needs to protect. Ensure that appropriate administrative, technical, and physical controls safeguard the information. Encrypt the information, whether it is in transit, stored, and archived. Be sure to follow the organization’s data retention and data destruction policies and procedures.
3. Educate employees on social engineering tactics
Social engineering is growing in sophistication and volume. Situational awareness is key in combating phishing attempts and other social engineering tactics. If a phishing attempt, scam, or other fraudulent activity is suspected, the appropriate point of contact at the organization needs to know about it. An educated and informed workforce is a strong and resilient workforce. Teaching the workforce about the psychology of social engineering from the attacker and recipient perspective may give them the tools they need to ensure that they are not victims of social engineering attacks. Think before you click.
Encourage the workforce to report phishing and other social engineering attempts. The more the organization knows about these attempts, the better prepared it can be with its defenses and awareness education for the workforce. Consider sharing real examples (redacted as necessary) of social engineering attempts.
4. Beware of insider threats
If you notice unusual activity or behavior by someone, report it. This can make a difference. Insider threats may originate with any individual with trusted physical or virtual access to the organization. Insider threat activity may happen due to carelessness, human error, or a lack of knowledge. Encourage individuals to speak up if something does not seem right. Ensure that everyone knows how and where to report concerns. Insider threat activity can cause harm over time so it is best to report it early and not let it fester.
5. Perform regular security updates
Ensure that systems, networks, and devices are regularly updated as recommended or required by the organization. Do not delay updates. Delayed updates may increase the window of opportunity for potential compromise by cyber-adversaries.
DOWNLOAD MORE: Security Awareness Blog Templates
How to Improve Your Security Awareness Program
1. Make cybersecurity a top priority
Make sure that cybersecurity is a priority for the organization. Executives should remove barriers to ensuring that people and fundingare added to the team. The appropriate tools, technology, infrastructure, and people are necessary for a robust cybersecurity program—and an effective awareness program.
2. Identify security champions
Designate at least one security champion for each department, and ensure there is an overall security champion at each facility. Make sure that they are helping others be safe and secure in their practices. Enlist their help to spread security awareness messages and education throughout their respective departments and facilities. Have them act as the organization’s eyes and ears for cybersecurity.
3. Leverage micro-learnings
Small, incremental learning can be more effective than extended learning when it comes to security awareness. Ensure that micro-learnings – such as those under a minute – are leveraged as much as possible. Regular, more frequent micro-learnings may be more effective than a long training session once a year.
4. Educate and align vendors, contractors, and other stakeholders
Use security awareness training to set expectations and standards around security practices at the organization. Ensure that vendors, contractors, and others adhere to the organization’s policies.
5. Be creative and fun with cybersecurity training
There are many effective off-the-shelf security awareness programs. A better security posture can be achieved with creative, fun, and challenging security awareness exercises. Whether it is a competition, game, or recognition, the workforce should feel that there is value and that it is rewarding. Use creative solutions to gamify and engage the workforce (e.g., board game, competitions between departments, etc.). Create novel but realistic story lines and have people play out how they might respond in certain situations. One can create a group learning experience from these tabletop scenarios. But, most of all, remember to start with the “why” of security awareness—why do we want a program? What do we want to achieve? And create the program to accomplish these measures.
For the security awareness program, start with five tips to share with the workforce and third-party partners (e.g., staff, vendors, and others). Reinforce these tips with micro-learnings. Be creative and incentivize participation. Listen to feedback. Be inspired from actual events that occur at the organization or that may have happened to peers. Awareness should occur every day—not just during the month of October—but year-round.
READ MORE: Cybersecurity Awareness Month—More Than a Slice of Awareness
Gain access to the 2025 Security Organizational Design Benchmark Snapshot Report. This snapshot report of Fortune-500-size security organizational design is a preview of the full 2025 Security Organizational Design Benchmark Report, which helps CISOs refine their cybersecurity organizations by showing how top Fortune 500, large, and midsize companies structure security teams, allocate budgets for staffing, and set compensation levels for various management and individual contributor roles. It includes insights on team design, leadership positions, and pay ranges broken out by three distinct revenue and staffing clusters: contact us now to request the full report.
You can also download our 2025 Security Software and Services Benchmark Report—and gain access to valuable insights and practical strategies for managing vendors and MSSPs, especially during periods of budget constraints.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.