October is Cybersecurity Awareness Month, making it the perfect time for small businesses to focus on raising cybersecurity awareness among employees.

Cybersecurity Awareness Month was created by the U.S. Department of Homeland Security and the National Cybersecurity Alliance in 2004 to promote the importance of cybersecurity across all organizations.

This year, the focus is on 4 simple steps everyone can take to increase their cybersecurity:

  • Use strong passwords and a password manager

  • Turn on multifactor authentication (MFA)

  • Recognize & report phishing

  • Update software

We have all of those (and more!) covered in our recommended month-long program to keep your employees engaged during National Cybersecurity Awareness Month

Week 1: Start with the Basics

Week one of cyber security month is all about the basics.

The first week is all about ensuring everyone understands core cybersecurity best practices. Make sure employees know how to:

  • Backup Important Information – If you are not already, back up data regularly both on-site and off-site in case of ransomware attacks. Test your restore process!

  • Multifactor Authentication– Enable multi-factor authentication (MFA) wherever possible to add an extra layer of protection beyond just a password.

  • Strong Passwords – Create strong, unique passwords that are long and use a mix of letters, numbers, and symbols. Use a password manager to generate and store secure passwords.

  • Phishing AttacksRecognize and avoid phishing attempts by being suspicious of unsolicited emails asking for sensitive information or links. Don’t click suspicious links or open attachments that could contain malware in phishing emails. Create resources to enable employees to report phishing attempts.

  • Update Software – Use up-to-date antivirus software and keep it and all software updated. Updates often contain critical security patches.

  • Staying Safe Online – Remind everyone of company cybersecurity policies, like guidelines for using social media and rules around accessing work systems with personal devices. Provide resources to refresh knowledge.

Week 2: Focus on Physical Security

It's not just being secure online - in week 2 you will raise awareness about physical security in your organization

For the second week, bring attention to physical security for devices and workspaces. Employees should:

  • Lock Computer Screens – Whenever stepping away from your desk, even just briefly, make sure to lock your computer screen. This prevents unauthorized access to sensitive company data or internal systems while unattended.

  • Secure Devices When Not in Use – Laptops, tablets, and mobile devices should be securely stored when not in active use during the workday. Keep devices locked in drawers, cabinets, or closets to protect against opportunistic office theft. Never leave mobile devices lying openly on desks or in conference rooms.

  • Avoid Writing Down Passwords – Never write down passwords where others may find them. Don’t keep passwords on sticky notes or notepads out in the open. Make sure you only record passwords in secure digital password managers protected by a master password. Verbally sharing passwords with others should also be strictly avoided.

  • Keep Sensitive Info Out of Sight – When visitors, guests, or contractors are on the premises, make sure whiteboards, printers, and desks are free of sensitive documents. Lock file cabinets and secure confidential customer data. Remove access badges, keys, and other physical security items from public view.

  • Report Lost or Stolen Devices – Promptly report any lost or stolen laptops, tablets, mobile phones, or other devices to the IT security team. This ensures accounts can be immediately secured and remotely wiped to protect company data. Never delay reporting device theft as this puts sensitive corporate information at risk.

Week 3: Recognize Social Engineering

In Week 3, focus on social engineering awareness

The third week of national cybersecurity awareness month can focus on employee communications and events centered around recognizing social engineering

  • Be Wary of Unsolicited Requests – Employees should be suspicious of any calls, texts, emails, or other communications asking for sensitive information if they did not initiate the contact themselves. Even if the request seems to come from a legitimate source, extra precaution is warranted.

  • Refuse to Provide Information – Staff should feel empowered to refuse to give out any sensitive company or customer data when contacted out of the blue. Politely let the requestor know you cannot provide the requested information.

  • Independently Verify First – Before providing passwords, account details, or other sensitive information, employees should independently verify the legitimacy of the request through a known, trusted contact. Never assume a request is valid without checking first.

  • Understand Why Details Are Needed – Anyone contacted for passwords, customer data, or other confidential information should clearly understand why it is being requested and how it will be used before agreeing to provide anything.

  • Roleplay Potential Scenarios – Practice makes perfect. Roleplaying various potential social engineering attempts will help prepare staff to respond appropriately in the moment. Useful skills can be learned through practice.

Training employees to be alert and empowered to refuse suspicious requests is key to blocking social engineering. With the right knowledge, your staff can become an invaluable human firewall.

Week 4: Secure Workplace Collaboration

During Week 4, you can give advice on simple steps to stay safe while collaborating

During week four, focus on risks with collaboration tools and sharing access. Key points include:

  • Don’t share account credentials – Employees even when collaborating should never share their account usernames, passwords, or other login credentials with anyone, including co-workers and managers. Sharing credentials compromises account security and personal accountability, and should be strictly prohibited.

  • Limit Document Access – Set permissions on sensitive documents to only allow access on a strict need-to-know basis. Require employees to use a second factor of authentication when accessing confidential files for an added layer of protection.

  • Sanitize Metadata – Before externally sharing any documents, make sure to sanitize them by removing sensitive metadata. This includes information like author name, edit history, and comments which could reveal confidential data if left in files.

  • Encrypt Confidential Files – Encryption should be used to protect any highly sensitive documents stored on local machines, company servers, or cloud collaboration apps. Encryption converts data to secure code that cannot be accessed without a decryption key.

  • Confirm Recipient Identity – Double-check that the recipient is correct before emailing any confidential documents or data. Confirm you have the correct email address and contact name to avoid unintended data leaks through misdirected emails.

Proper collaboration security comes down to protecting document access, sanitizing data, and encrypting information through its life cycle from creation to storage and sharing.

The goal is to reduce the chances of accounts being compromised or sensitive data being accessed by the wrong people.

Week 5: Create a Cybersecurity Culture

Wrap it up with a cybersecurity awareness month event to celebrate!

In the final week, bring all the concepts together to build an organizational culture focused on cybersecurity. Foster open discussion at all levels about cyber risks, policies, and how to strengthen defenses. Highlight that everyone from leadership to staff has a role to play.

Make cybersecurity awareness an ongoing priority beyond October. Continue providing training refreshers and helpful resources. Celebrate vigilance through positive reinforcement and make it easy for employees to report concerning incidents or vulnerabilities.

With a little creativity and commitment, any small business can utilize this cybersecurity awareness month to meaningfully improve its readiness and resilience against growing cyber threats.

What will you do this October?

Ready to join the Village?

Keep up to date on the latest cybersecurity awareness training and resources.


The following are some variations of frequently asked questions around the topic of “What is cyber security awareness month?”. We hope you found the answer you were looking for and also take some time to dive deeper into ways to strengthen your cyber awareness education!

The theme has not been announced yet, but the 20th anniversary of Cybersecurity Awareness Month in 2023 honors the progress made in security education and awareness over the past 20 years, while looking ahead to the work still needed to fulfill the vision of a securely interconnected world.

October Security Awareness Month 2023 is an annual effort to promote better cybersecurity practices across the industry and the public.

Cybersecurity Awareness Month is observed every October.

The National Cyber Security Alliance and U.S. Department of Homeland Security jointly founded Cybersecurity Awareness Month in 2004.

Yes, Cybersecurity Awareness Month is now recognized and observed internationally.

Similar Posts