8 Tips for a Secure Cybersecurity Awareness Month

Check out our eight tips designed to be shared with employees as part of National Cybersecurity Awareness Month 2019, plus advice for awareness managers!

National Cybersecurity Awareness Month is the perfect time to think holistically about security awareness. Here are eight tips touching on eight key cyber risks to share with employees and colleagues.

National Cybersecurity Awareness Month (NCSAM) is well underway! Are you sick of cybersecurity advice yet?

We certainly hope not! A cybersecure workforce does not come from a one-and-done approach to teaching security best practices.

Held every October, Cybersecurity Awareness Month is a great time to enhance your employees’ security knowledge and skills and get the resources you need to stay safe and secure online and prevent cyberattacks.

The theme for NCSAM 2019 is “Own It. Secure. It. Protect It.,” which is designed to encourage personal accountability and proactive behavior in digital privacy, cybersecurity best practices, and common cyber threats.

  • OWN IT means to understand your digital profile and the devices and applications you use every day in order to help keep you and your information safe and secure.
  • SECURE IT means to secure your digital profile and apply additional layers of security to your devices to better protect your personal information.
  • PROTECT IT means to maintain your digital profile by routinely checking your privacy settings.

We hope our eight tips below serve as fodder to help IT professionals and security awareness managers stress the importance of a strong cybersecurity posture at their organizations, this Cybersecurity Awareness Month and beyond. We’ve also included advice for awareness managers for building content focus on these risks into their training initiatives.

Looking for more ideas to promote NCSAM? Check out our free security awareness campaign-in-a-box!

1. Practice Consistent Incident Reporting

An organization that fosters a culture of incident reporting is a more secure one. That’s why protecting your organization’s data and privacy should be a priority for each and every employee in your organization. In other words, it needs to be monitored.

Whether it’s a cyberattack, phishing scam, or data breach, all incidents should be reported. Even if the incident turns out to be a false alarm, it’s always better safe than sorry when it comes to security.

In August of 2018, we surveyed 1,024 U.S. employees to test their cybersecurity and data privacy know-how. What we found was that one-fifth of employees did not report a variety of theoretical risks to security and private data when they should have. These risks include unsecured personnel files, unsecured confidential product information, and potentially infected computers.

How to Take Action?

OWN IT. Emphasize the importance of reporting any and all potential security and privacy incidents to the right authority or department, even if it may be a false alarm.

For awareness managers, Include real-life examples of reportable incidents into employee training, in addition to information about company policies.

2. Know How to Identify Personal Information

If compromised, personally identifiable information can threaten your company or the individual at risk. PII includes any private or personal data that can be linked to an individual, such as names, birth dates, addresses, social security or personal identification numbers, financial information and more.

If personal information is not handled correctly, it can lead to fines, revenue loss, and irreparable corporate reputational damage — all the things you want to avoid.

How to Take Action?

PROTECT IT. When working with personal information, it’s important to consider the real-world consequences if that data were compromised. Internalize your company’s data privacy and policies and report all potentially exposed private and personal data when you see it.

For awareness training, connect the facts and figures found in the personal information your company may handle to the tangible, real-world consequences the compromise of such data would lead to.

3. Recognize Malware Warning Signs

A fact of life in the internet age is the greater vulnerability of companies to hackers and viruses. That’s why it’s even more important to recognize whether your (password-protected) systems are under threat from malicious software.

Delays in reporting potential clues or incidents of malware infection can be costly. In fact, industry research consistently finds that malware can sit undiscovered on a company network for weeks, even months. One of the best early warning systems is a sharp-eyed employee population.

How to Take Action?

SECURE IT. Take all necessary steps to secure your company’s data and privacy and keep an eye out for signs of malware, like pop-ups, blue screens, and system slowdowns. Regular software updates will keep malware off your work and home computers, so stay up-to-date, because even minor, unexpected computer behaviors can be signs of malware infection.

For awareness managers, make clear that even seemingly minor unexpected computer behaviors could be signs of malware infection. Include discrete steps to take if malware is suspected, and drive home the importance of regular software updates.

4. Invest in Both Physical and Cybersecurity

Security threats can come in all shapes and sizes, and they aren’t just limited to cyberspace. In addition to cybersecurity, it’s important to also think about physical security. That means even an unexpected delivery or a friendly looking stranger trying to access your office should be addressed with caution.

How to Take Action?

PROTECT IT. Always be aware and on guard for suspicious actions wherever you encounter them. Asking for independent verification is one way you can invest in both physical and cybersecurity in your organization. Never give an unauthorized person access to your work environment, an only allow outsiders entry through approved methods, such as being accompanied by authorized personnel at all times.

As part of security awareness training on this topic, describe what’s at stake in terms of both company and personnel well-being if an unauthorized person were given access to your work environment.

5. Practice Safe and Acceptable Uses of Social Media

Posting on social media has become an hourly occurrence in today’s digital world. This makes it even more important to practice safe and acceptable uses of social media in order to protect private company information and data.

Statista reports that an estimated 247 million (nearly 79%) of people are using social media in the United States in 2019. This number is forecasted to exceed 257 million by 2023.

On social media, anything and everything can be shared to millions by the click of a button, which means the chances of sharing private or sensitive company information such as sensitive data or intellectual property, increases significantly.

How to Take Action?

OWN IT. It’s time to take full responsibility for what you share and whom you share it with. Follow your employer’s guidelines on what you can and cannot post about the company on social media and use it cautiously. According to our annual State of Privacy and Security Awareness report, 26% of employees made poor decisions involving the secure use of social-media. Our advice? If you need to think twice about whether you should share company happenings on your Facebook, don’t!

For awareness managers, it’s important to present both the good and bad uses of social-media and include real-life examples your employees can and cannot post.

6. Enable Secure Cloud Computing

Personal cloud storage tools, no matter how secure their makers claim they are, are no place for confidential documents or sensitive data. Storing private information in a personal cloud puts your company at an unnecessary risk of a data breach or unapproved access, which likely violates most company policies.

According to TechJury, 81% of all enterprise firms have a multi-cloud strategy already laid out or in the works and 67% of enterprise IT infrastructure and software will be cloud-based by the end of 2020. It makes sense, because even now, in 2019, the average person uses 36 cloud-based services every single day.

How to Take Action?

SECURE IT.  Take the time to understand how your organization uses cloud storage and follow your employer’s guidelines for storing data. Carefully select the type of information you place in the cloud and create secure passwords for your personal cloud sites in order to keep everything safe and secure.

For awareness training covering this topic, differentiate between storing personal information on the cloud and using the cloud for work.

7. Prevent Phishing Email Attacks

That suspicious-looking email you just got? All it takes is one click to let hackers in. Phishing attacks are one of the easiest ways to steal information or infect a system or network with malware.

Kaspersky Lab reported that their Anti-Phishing system was triggered nearly 500 million times in 2018, and that’s more than double the amount reported in 2017 (236 million).

Phishing is a threat that is not going away any time soon. Susceptibility to phishing can represent a fundamental misunderstanding of security best practices at an organization-wide level.

How to Take Action?

SECURE IT. Scrutinize every email you receive for the signs of phishing on mobile and desktop. Never click links or download files unless their source can be independently verified or an attached document is expected.

For awareness managers, consider engaging a simulated phishing tool that connects to lessons describing signs that an unexpected email should be considered suspicious. Technical safeguards against phishing should go hand-in-hand with phishing awareness content in your training program. Then, if an employee falls for a phishy email, they’ll know what to do and how to handle it.

8. Protect Your Network When Working Remotely  

Working remotely can seem attractive, sending one quick email or document from a coffee shop. But if public Wi-Fi networks are used, cybercriminals can access any other computer on that network and expose any information on those computers to theft.

According to a 2019 IWG survey, 62% of businesses worldwide currently have a flexible workspace policy, allowing their employees to work remotely, and 80% of respondents confirmed that productivity increased as a result.

Whether you’re working in the office or at home, always protect your network. All company data and documents should not be accessed or sent via public Wi-Fi unless connected to the internet via a VPN.

How to Take Action?

PROTECT IT. Always look at websites to be sure they are secure (look for https://), use only Wi-Fi networks that offer password protection, and use VPN connections to connect to work networks.

When covering this topic in security awareness training, explain the importance of using your company’s VPN when working out of the office and describe the methods cybercriminals can use to intercept data shared across unsecured networks.

Cybersecurity Awareness Month at Your Organization

Want the resources and plan to educate on these eight risks at your organization?

Do you like free stuff?

You’re in luck!

We’ve put together a security awareness campaign-in-a-box designed specifically for Cybersecurity Awareness Month. It’s full of videos, posters, infographics, even interactive mini-games to promote NCSAM in your organization.

This campaign kit has the resources and the plan. All that’s needed is you!

Download it today!


We’re thrilled to be an NCSAM Champion this year. NCSAM is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals committed to this year’s NCSAM theme of ‘Own IT. Secure IT. Protect IT.’ which encourages everyone to #BeCyberSmart through cybersecurity best practices.

Share this Post