Cybersecurity Awareness: How to drive it across the whole year

Ever hear the slogan “A dog is for life, not just for Christmas?” It was created by the Dog’s Trust, a UK-based charity, to bring attention to the permanent commitment a four-legged friend needs. Likewise, although October is Cybersecurity Awareness Month, creating a cybersecurity culture in your organization is more than just a one-month event — if you’ll pardon the pun, it requires just as much dogged commitment.

Sure, it’s great to have a cybersecurity focus in October with everything that brings: special events and webinars held by industry experts, and a whole host of posting about proper password protections on social media. But once the month ends, then what? 

In this article, I’ll provide a yearly checklist of cybersecurity awareness activities you can run post-October so you can create a true cybersecurity culture in your organization.

What to do immediately after Cybersecurity Awareness Month

1. Do a post-mortem survey

The very first thing you should do after cybersecurity month is over is to ask your colleagues “What would you like to know more about?” Conduct a survey and ask them what worked, what didn’t, and most importantly what people would like to learn. You may be surprised by the new demand there may be for skills, knowledge, and internal change from your awareness activities. Without a swift follow-up to these, you can lose momentum.

2. Capitalize on people’s desire to upskill

I’ve often found in the wake of Cybersecurity Awareness month, colleagues in non-IT departments want more in-depth training in areas relevant to them. For example, a finance team may want to understand more about Business Email Compromise (BEC) attacks and what processes they could put in place to make themselves more resilient. Take this as an opportunity to make sure increased awareness translates into improved security behaviors.

3. Make your awareness schedule for the next twelve months (and tell people how to action what they learn)

As stated earlier, having a year-long security awareness campaign is a laudable goal. Even though half of all people are adhering to the five core security behaviors, there’s still lots of room for improvement, according to this year’s Cybersecurity Attitudes and Behaviors report from the National Cybersecurity Alliance and CybSafe.

Note that just driving awareness isn’t enough. A common complaint about awareness training is it tends to be theoretical and scary, rather than providing practical steps on how people can actually improve their security behaviors. You should make sure to provide people with actionable steps as part of any awareness training.

One way to do this is to make it more relevant to them. Most people become more engaged when you talk about cybersecurity at home and for their families. Thankfully, all the same security behaviors that protect them at home also help protect our organizations. My advice is to focus on teaching them the practical things that people and their families can do, and how that in turn can be applied in the work environment. 

Annual cybersecurity awareness plan template

Note that this plan has been designed for organizations in the northern hemisphere. If your Summer holidays are in January, feel free to adjust the suggestions to fit in with what your colleagues are likely to be thinking about that month! 

November to December

The end of the year is filled with “too good to be true” shopping deals and dodgy merchants trying to capitalize on the holiday season. Warning people about these threats can help keep their cyber-cautions engaged. Encourage them to remember to check their email for phishing and to think about the veracity of websites. 

January to February

For the United States, Canada, and most European countries, the start of the year coincides with the kickoff of tax season. That means it’s a great time to warn people about the different kinds of tax scams, impersonation, refunds and general tax-related phishing.

This will help reinforce good security behaviors like checking for all the ‘shings’: phishing, smishing, and vishing. In regions where tax jurisdictions allow people to protect their tax accounts with PINs and passwords, this training can encourage the behaviors of choosing strong credentials and avoiding credential reuse. 

March to April

March is a year when many people are thinking about their holiday planning as they escape the lingering winter chill in many regions (or want to chase it with a ski holiday). It’s also a time many schools have a spring break, so families are seizing on this window to plan vacations.

During this month, it’s a great time to drive awareness about common holiday rental and hotel scams. This helps reinforce the security behavior of validating the provenance of a website, and reminding colleagues that just because it’s on a website, it doesn’t mean that you can trust it!

May to June

May is the end of spring — a perfect time to tidy up and encourage people to “spring clean” their passwords. Research shows many people have more than ten sensitive passwords, so take the opportunity to remind colleagues to check they are deploying proper security behaviors for these accounts. They can do this by:

• Upgrading from passwords to passphrases

• Making sure each one is unique

• Using a site to check if their email has been used in a data breach (Such as using Pluralsight author Troy Hunt’s Have I Been Pwned website)

• Enabling MFA (if the website or app provides it)

July to August

As the summer holiday season starts, focus on informing people about the importance of device updates. You can work in the (admittedly cheesy) metaphor that devices need rejuvenation as much as people do after working hard, and they can provide that with a software update.

Many people have IoT devices in their homes now, so you can tie this into how they should update their cameras and lights to protect their homes while they are away. The focus should be on ensuring device software is updated, ideally automatically, but you can also emphasize the behavior of changing device default passwords.

It’s also a good idea to talk about work devices here. Explain to them why it’s also vital for work devices to be updated, and highlight the relevant security behaviors that you expect, such as not delaying updates. 

September

For September, turn your focus on emphasizing one of lower-priority security behaviors: backing up your crucial data. Ask your colleagues to think about all the pictures they’ve taken at family events over the past year – and how they would feel if something happened to those pictures! 

The security behavior to highlight this month is making sure things your colleagues care about are backed up, and how incredibly easy it is now to implement cloud backup. Here, you can contrast systems at work which are routinely backed up, and colleagues’ systems at home, which may not be. 

October

We’re back to Cybersecurity Awareness month again! Capitalize on all the noise this month brings, and start planning for your next year of ongoing cybersecurity awareness campaigns. When you’re planning your program, remember that Pluralsight has some great content and authors who can add variety to your plans — you don’t need to come up with all your material and training from scratch.

Remember: Cybersecurity Awareness is not just for your colleagues

When you’re drafting your annual awareness program, it’s key to remember there are two communities other than your colleagues to consider: directors or non-executive management, and the supply chain.

Non-executive management

This demographic is often excluded from awareness programs. There are many reasons why this happens, some of which may be historical, or just stem from a reluctance to “bother” them. Both of these are mistakes!

Make sure to include them  in your awareness activities because regulators are increasingly expecting a high degree of cybersecurity knowledge from non-executive management. It’s also a great idea to ask if you can briefly attend one of their meetings to ask what cybersecurity education they would like.

Your supply chain

It might seem odd to include your third-party supply-chain in your cybersecurity awareness thinking, but it’s an increasing trend. Where organizations want to work with smaller suppliers who may not have the required level of cybersecurity maturity, organizations are asking questions like:

• What can the awareness team deliver alongside the traditional third-party risk management program? 

• Could the organization’s awareness training be shared with the supplier so they can raise the level of security behaviors in their workforce? 

• At an organizational level, could the supplier take advantage of the material provided by the Cyber Readiness Institute or the Global Cyber Alliance?

Conclusion: Turn cybersecurity awareness into action all year round

At the end of the day, there’s two key lessons here: make your awareness activities relevant and actionable to your audience, and don’t perform your campaigns in small annual windows. By using the template above and adapting it to your needs, you can start driving great security behaviors across your organization and truly create a cybersecurity culture, lessening risk across the board.

In other words: “Cybersecurity is for life, not just for Cybersecurity Awareness Month.”

Further learning resources

Looking for courses to help empower your entire organization against rising cybersecurity threats? Pluralsight offers a wide range of beginner, intermediate, and advanced cybersecurity courses to empower you and your teams. You can sign up for a 10-day free trial with no commitments. Here are some courses worth checking out to get you started:

• Cyber Security: Executive Briefing
• Cyber Security Essentials: Your Role in Protecting the Company