In 2004, the President of the United States and Congress officially established October as Cybersecurity Awareness Month. The purpose is to increase the public dialogue around good cybersecurity and cyber hygiene, both in businesses and at home.
In 2023, the Cybersecurity & Infrastructure Security Agency (CISA) started its “Secure Our World” campaign to create a common education theme for the month.
It also provides many free resources to support activities within organizations.
As a result, many companies treat Cybersecurity Awareness Month as simply a convenient time to schedule their annual security awareness training.
Little additional effort goes into programs or activities to raise awareness.
And sadly, an annual security awareness program does little more than check a box on a compliance form. Watching videos and taking short tests with unrealistic examples do little to change the actual rate of clickthrough on real phishing or other common cyberattacks.
Many security-conscious organizations are shifting to year-round awareness and training programs.
Lessons are shorter, more focused, and spread out throughout the year. They come in different formats, from webinars to emails or in-person town halls.
When security awareness is a continuous learning program, it lets Cybersecurity Awareness Month take on a new role – culminating a year’s worth of learning into a fun, diverse set of programs.
Beyond the Basics
This year’s “Secure Our World” program focuses on four key cyber hygiene practices:
- Use Strong Passwords
- Turn on Multifactor Authentication (MFA)
- Recognize & Report Phishing
- Update Software
As you’re reviewing what they provide and thinking about how to leverage it, consider going beyond the lunch and learn, Intranet post, or mass email.
You can make cybersecurity awareness more fun, and in turn, it becomes more effective training.
As you look at each of the four focus areas, consider create unique activities and games to teach the principles. Gamification and creating opportunities for competition can help motivate people to participate. (Remember, not everyone enjoys competition, though, so have some options for them too).
Here’s some ideas for each of the focus areas.
Use Strong Passwords
The latest guidance from NIST suggests longer passwords are better than complex passwords.
Likewise, they’re more likely to be used safely by users. Techniques like dice ware can help people create long passwords that are easy to remember but hard to guess. But trying to fake dice ware (which leverages random words) by guessing your own words can lead to less secure passwords. They may be long, but they’re still guessable.
Make it Fun: Play a game where you have one team member go into an office. Their job is to make up a strong password by looking around and using objects in the room. Then, have a few other people go and see if they can figure out what the password might be, using the same methodology. The closest guess wins.
Even though it’s unlikely there will be an exact match, it’s a great reminder of why when we make up our own passwords, we create fairly guessable combinations.
Another contest might be to have a password-protected prize and hide the password somewhere in the office. It might be on a Post-it note on a monitor or a bulletin board. Virtual teams can hide it somewhere on the Intranet or in Teams or Slack.
It should be a reminder that hiding passwords is never a good password strategy.
These examples help remind people the importance of strong passwords while demonstrating what happens when they are not strong. Be sure to share your organization’s policies on what you’re requiring for a strong password and whether you offer any password management solution.
Turn on MFA
Most organizations today have MFA enabled on their primary accounts, such as Google Workspace or Office 365. This can be an opportunity to remind people to make sure it’s on everywhere else possible as well – both work and personal.
It’s also good to offer up education around the different strengths of MFA options – from SMS codes, to apps, to push notifications. Each has its weaknesses, but some are worse than others.
Make it Fun: Teaching about MFA can be done as an extension to the games described above. For the password in the office example, add a requirement to win. Make them bring an undisclosed object out of the office. That way, it’s something they know (the password) and something they have (the object) needed to win.
Similarly, the hidden password could have another hidden object (perhaps a fingerprint) and they have to find the right one to win.
In addition to demonstrating how MFA works and the power it gives to protecting accounts, you should also include education about MFA fatigue. If your system uses push notifications, make sure people understand the methods you have in place for them to know when it’s real or a risk.
Education about why MFA works and how it is exploited only help make your organization more aware of the risks and how to avoid them.
Recognize and Report Phishing
Many organizations will use Cyber Security Awareness Month as an opportunity to perform phishing testing. If you’re doing this and also awareness training, then the testing is probably not as effective.
People will be hyper aware, and it is a less realistic testing scenario.
There’s also some movement away from performing phishing testing, as it creates additional worker stress and can have limited real-world comparison to real attacks.
A new trend is to send out educational phishing messages – capturing real attempts, rendering them safe, and then highlighting all the ways to recognize them as fake. Real examples are always more meaningful than fake “gift certificate” messages and telling people up front it’s a phishing message helps reduce the stress around the program. Be sure to include instructions on how to report the message as well!
Make it Fun: For a fun exercise, buy some plastic fish and distribute them around the office. Find a way to mark most of them in a subtle, but findable, way. Then, have people “turn them in” and tell whether they are a “real” or “fake” message.
If they get it right, they’re entered into the competition for a prize. You can do this virtually as well, where your phishing testing is tied to rewards rather than punishments.
Update Software
Most large organizations handle keeping the software updated on company-owned equipment. Smaller organizations may need help from the team. Personal devices always need the individual to be responsible for updates. It’s important to remind people that any device on the same network as a company system needs to be updated.
You can use the LastPass hack as an example, where an engineer’s personal Plex server had an unpatched vulnerability leading to their unfortunate breach.
Personal devices, Internet of Thing devices (cameras, smart speakers, appliances) all should have automatic updates enabled. If the device is no longer supported, the best choice is to remove it from the network.
Any device on the same network can become an entry point for attackers to launch against more protected systems.
By ensuring these devices are as up to date as possible, you help protect the whole environment.
Make it Fun: For a “craft-time” example of showing the importance of updating software, create a sheet with a picture on it. Cover it with another solid piece of paper to demonstrate how a fully patched system can keep anyone from knowing what the picture is.
Now, take a piece of paper with random holes cut in it. Covering the picture with the next piece of paper will begin to reveal the underlying picture. Keep swapping out the cover for one with more holes, until the first person or team guesses what the hidden picture is.
This exercise shows how “unpatched vulnerabilities” can lead to your company’s secrets being discovered.
Keep it Fun, Keep it Relevant
Creating a culture of cybersecurity awareness depends on having a message that interests your users. Focusing on boring aspects of compliance and security or treating it as a punishment is less effective than teaching the importance through more fun methods.
Having people who promote cybersecurity within departments and regions can help share the message and providing a scoreboard for leaders to see how their teams are doing can appeal to their natural competitiveness. In turn, it helps them make sure they’re doing their part to encourage good practices.
Effective cybersecurity leans on people, process, and products.
All the best cybersecurity products in the world can be circumvented by a single person not recognizing a phishing attack or an account without MFA.
By leveraging the resources and opportunity of Cybersecurity Awareness Month and making it a fun, educational time for your team, you’re helping ensure the “people” part is as strong as possible.
