Every year in October, CISOs and their security programs get a little more attention, all thanks to Cybersecurity Awareness Month. This year will be the 22nd annual focus on educating about key cybersecurity principles.
Last year, we explored how to go beyond the traditional annual awareness training program and make good cybersecurity easier to learn by making it fun.
People learn through fun things far more effectively than lectures, especially when the lectures are on topics they don’t really care about.
This year, we’re continuing to find ways to make cybersecurity awareness fun by combining it with game night. Lots of people will enjoy playing some new games, and if you tie them back to important cybersecurity lessons, it’s a win for everyone!
Why do we even need to try something different? Is the tried-and-true video series we all use not working?
Unfortunately, the data suggests it’s not.
In 2025, we’ve seen phishing attacks increase from last year.
Business Email Compromise (BEC) caused $2.8 billion in reported losses, and the requested amount in BEC attacks in 2025 is double the previous attacks. (APWG).
While better than nothing, traditional security awareness training and phishing testing haven’t been proven to change people’s behavior when it really matters, when a well-designed phishing or social engineering attack hits at their most susceptible moments.
Also consider that the core focus areas of CISA’s official Cybersecurity Awareness Month haven’t changed in years.
Two of the most popular are:
- Recognize and Report Phishing
- Update Software
If we had mastered either one of these principles, then we’d see something fall off the list and get replaced with a new one (how to recognize AI fraud, perhaps).
Yet, we’re still working on the basics at organizations large and small.
We still see websites with outdated password and authentication systems, and debates on whether phishing testing works (real-world evidence suggests it doesn’t).
So, perhaps it’s time to change how we play the game?
Recognize and Report Phishing
The days of eight-character passwords are decades behind us now.
I’m getting on a plane and can’t call you, but can you send me $100 of gift cards right away? I’ll send you the email address where I need them sent (I can’t login to my work right now).
Of course, you recognize this as a phishing attempt in today’s world.
The busy CEO who needs gift cards urgently has someone else who can go purchase them. You haven’t been selected at random out of a company of 1,000 people for this urgent request. And, recognizing it as the phishing it is, you hit delete and go on about your day. And then you do the same for the next twenty phishing messages that land in your inbox.
Unfortunately, you don’t realize the same message was sent to twenty other co-workers.
One of them, pressed to meet an urgent deadline of their own and also at home helping a sick child, is more distracted when the message comes in and goes ahead and clicks the link. They try to log into the company portal that opens up, and when they get an error saying “try again later,” think nothing of it, close their window, and go back to their original tasks.
Meanwhile, their stolen credentials are now used to add an additional MFA device to their account, and this initial access broker can sell validated credentials on the market for later use to cause the company harm.
And with modern phishing tactics, accelerated by large language models (LLMs), it’s becoming common for people to not even remember when they got phished. So while there’s 100 obvious fakes you do recognize and report, there’s another one hiding there, which is designed to trick even you.
Employees are the frontline of defense against these messages, and by reporting these messages, you are doing your part to ensure the security of the entire company.
Game Time
There’s nothing easier to play and talking about phishing than Go Fish.
This school-age taught game is all about asking someone if they have something you want, and if they do, giving it to you.
It’s like a business email compromise with a deck of cards. The email says “Got money? Give it to me!” and if you recognize it’s fake, you can say “Go Phish!” with your report phishing button.
Make It Interesting: Need something more sophisticated but still on theme? Try out “Hey, That’s My Fish”, a family-friendly game that combines the strategy of not only collecting as many fish for you as possible, but blocking your opponents, too. It’s almost like your security team is doing to the phishers.
Update Software
Most know by now that Windows 10’s “end of life” or “EOL” was on October 14, 2025. When Microsoft announces an EOL date for its products, it doesn’t mean it will just stop working on that date. Instead, it means they’ll no longer be releasing any updates to the software.
For the average user, this includes security updates. If bad actors or security researchers discover a vulnerability, Microsoft doesn’t have to do anything about it.
Not only does that make Windows 10 more vulnerable to attacks, it can make a company immediately non-compliant with its own security policies.
- For example: PCI-DSS (Payment Card Industry Data Security Standard) 6.3.3 requires security patches be applied to known vulnerabilities. Do you have Windows 10 devices in scope for your PCI program? You’ll quickly be out of compliance.
And it’s not just Windows 10, all the software we run our businesses on has vulnerabilities. Those vendors release patches that we then need to install.
The risk is real; many well-known breaches were enabled by unpatched software, including Equifax’s famous one. Updating software remains on the list of awareness topics for this reason.
While automatically updating software has helped reduce this risk, we also often turn those off in production systems so that we can reduce the risk of a patch breaking the system (see Crowdstrike 2024). Finding the right scheduling of patching, through a risk-based prioritization schedule, is a critical part of good cyber hygiene.
Patching too fast can be as risky as not patching at all, but not patching will help you fail an audit later.
Game Time
Ready to learn the importance of a well-patched system? Grab your favorite towering wood block game: Jenga.
If you haven’t played, each player takes a turn removing a block from the tower. If it falls after you take your turn, you lose!
What’s a falling tower of blocks have to do with cybersecurity?
Think of each block as a discovered vulnerability. When the tower is whole, it’s like a nice, well-patched system. Each block removed is a missing patch. When enough patches are missing, the tower falls, and your system is breached.
A modern computer system is very similar to a Jenga tower.
It’s helped together by the strength of its components. Once those individual components are weakened, the entire structure is unstable.
Patching is necessary to keep the whole system strong and held together.
Everyone Wins
At the end of game night, everyone wins.
Some because they won the game, others because they enjoyed playing. And, if you combine some cybersecurity awareness, the entire company wins too!
By connecting important cybersecurity concepts to fun activities, people are more likely to understand the importance and replicate these actions later.
And that’s a play that keeps on winning!
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
