Every year in October, CISOs and their security programs get a little more attention, all thanks to Cybersecurity Awareness Month. This year will be the 22nd annual focus on educating about key cybersecurity principles.
Last year, we explored how to go beyond the traditional annual awareness training program and make good cybersecurity easier to learn by making it fun.
People learn through fun things far more effectively than lectures, especially when the lectures are on topics they don’t really care about.
This year, we’re continuing to find ways to make cybersecurity awareness fun by combining it with game night. Lots of people will enjoy playing some new games, and if you tie them back to important cybersecurity lessons, it’s a win for everyone!
Why do we even need to try something different? Is the tried-and-true video series we all use not working?
Unfortunately, the data suggests it’s not.
In 2025, we’ve seen phishing attacks increase from last year.
Business Email Compromise (BEC) caused $2.8 billion in reported losses, and the requested amount in BEC attacks in 2025 is double the previous attacks. (APWG).
While better than nothing, traditional security awareness training and phishing testing haven’t been proven to change people’s behavior when it really matters, when a well-designed phishing or social engineering attack hits at their most susceptible moments.
Also consider that the core focus areas of CISA’s official Cybersecurity Awareness Month haven’t changed in years.
Two of the most popular are:
- Use Strong Passwords
- Turn on MFA
If we had mastered either one of these principles, then we’d see something fall off the list and get replaced with a new one (how to recognize AI fraud, perhaps).
Yet, we’re still working on the basics at organizations large and small.
We still see websites with outdated password and authentication systems, and debates on whether phishing testing works (real-world evidence suggests it doesn’t).
So, perhaps it’s time to change how we play the game?
Use Strong Passwords
The days of eight-character passwords are decades behind us now.
Even if we replace the “i” with “1” and the a with “@,” clever techniques to meet website rules end up reducing password security.
Hackers know our patterns, and the rules themselves help them limit how many guesses they need to make.
NIST password guidance favors length over complexity.
As it turns out, five random words are more secure than requiring 8 letters, numbers, and special characters.
Twenty completely random characters generated by your computer is even more secure. And since we need a long, random password on every account we use, password managers are essential.
As you’re reviewing what they provide and thinking about how to leverage it, consider going beyond the lunch and learn, Intranet post, or mass email.
The latest guidance from NIST (SP 800-63B) “Strength of Passwords” is pretty clear that our old guidelines of requiring uppercase letters, lowercase letters, numbers, and special characters were not effective.
When a user needs to be able to type and remember these passwords, it drives users to predictable patterns.
How many passwords have you had that follow the format “P@ssw0rd123!”?
It meets the requirements, but is also a natural way to remember how we came up with the “complexity” required. This is like the pound cake of passwords: a pound of butter, a pound of flour, a pound of sugar, and a pound of eggs.
Seems simple, but it doesn’t actually produce the results you wanted.
Instead, password guidance is now focused on the length of the password.
There’s no reason to put a limit on how long a user’s password can be; once they’re hashed, they’re all the same length. If someone wants to type a paragraph, they should be allowed.
Generally, password lengths of 15 or more characters is the goal.
Ideally, these are still based on random characters, but because your users have an approved password management product to generate and remember them. For passwords that have to be remembered and typed (e.g. the password to get into the password vault), a passphrase is often the best choice.
Game Time
Ready to have some fun while learning about strong passwords? Look no further than the classic board game Password.
This board game is based on the original game show from the 1960s. It’s a team-based game, where one person knows the password, and tries to help their teammate guess it using one-word clues. If their teammate doesn’t get it, the other team gets a chance to “steal” the points.
In the game, the password is always a single word.
Make It Interesting: Sneak in a 20-character randomly generated password. Or, want to see why the “special characters” don’t really work? Change the game’s word using typical website password rules, and see just how close people guess the right way to put the uppercase, lowercase, numbers, and special characters in their guesses.
Turn on MFA
Multifactor authentication (MFA) traditionally meant having at least two ways to prove your identity out of a list of three:
- Something you know
- Something you have
- Something you are
For most systems, this quickly became a password (something you know) and a text message sent to your phone (something you have).
As text messages were later recognized as weak from a security perspective, we moved to Authenticator apps, which also used your phone’s biometric features (something you are).
Now, as we move to a “passwordless” future, we rely on the “something you have” and “something you are” to eliminate the need to “know” anything.Behind the scenes, these authentication providers also have added “somewhere you are,” “how you behave,” and other heuristic-based factors to enhance the classic “factors.”
Combining these new techniques with the traditional three makes for a significantly higher chance that it’s really you logging into a system.
Pretty much every business using a cloud service has MFA enabled on its primary accounts.
The major cloud accounts have mostly made it mandatory, and so did your cyber insurance application. But, we still find plenty of secondary accounts and personal accounts that aren’t using MFA.
Often this includes older services that don’t support it or lean on email validation as a “pseudo-MFA” approach.
Even in 2025, the call to turn on MFA is still needed.
Push factor notifications are effectively the only secure option for MFA at this point in history.
- Text messages have never been inherently secure, and only made less so when we set up our computers, phones, watchs, and tablets to receive our messages. It’s easy to forget all the places our messages end up, so ending up in the wrong hands is a likely outcome. Fake login pages can also just ask for the number, whether sent by text or by an app, and immediately use it for an account takeover.
- Push notifications, on the other hand, can only be generated by your actual login page. By including the “number matching,” they can establish high confidence that you’re on a real login page and that you have your phone in your hand.
Game Time
Ready to help people understand the power of good multi-factor authentication? Grab any mystery game, from Clue to one of the popular crime investigation games available now.
It turns out MFA is just a “who-dun-it” in reverse.
When we investigate a crime, we think of means, motive, and opportunity. We’re trying to use clues to figure out if a suspect could have committed the crime.
With MFA, we’re doing the same thing, but to figure out if it’s really you logging in, using many of the same clues to verify identity:
- Fingerprints on your phone
- Location (based on your cellphone)
- The type of information you’re accessing (your motive)
If a login attempt doesn’t have the right means (your password and phone), motive (you have an approved business reason to access the information), and opportunity (you’re doing it when we expect to do it), then we’re going to reject your login attempt!
Then, we can pursue the real criminal who tried to impersonate you.
Everyone Wins
At the end of game night, everyone wins.
Some because they won the game, others because they enjoyed playing. And, if you combine some cybersecurity awareness, the entire company wins too!
By connecting important cybersecurity concepts to fun activities, people are more likely to understand the importance and replicate these actions later.
And that’s a play that keeps on winning!
If you’re looking for more games, keep an eye out for my phishing and patching game ideas later this month!
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
