LONG READ
Cybersecurity Awareness Month
Inspiration unlocked: 47 Cybersecurity Awareness Month ideas for 2023
Every year, a dizzying high number of people face the consequences of cyberattacks. These attacks not only cost organizations billions. They also leave a devastating impact on individuals.
We know if you’re reading this, you get it. You already understand the importance of safeguarding your organization and people from cyber threats.
Still, we’ve got to get this off our chest: Simply having technical security measures in place isn’t enough.
Being 500 percent sure that everyone in your organization understands the risk—and knows how to protect themselves—is crucial.
It’s sometimes the difference between organizations surviving…or failing.
2023 marks 20 years of Cybersecurity Awareness Month (CAM). Since its inception by the National Cyber Security Alliance (NCSA), this global event has grown exponentially. Today, millions of organizations participate.
But CAM isn’t just about educating people. It’s about engaging. It’s about igniting excitement. And it’s about making people feel like they’re part of the solution.
We all know tackling cybersecurity can feel like an uphill battle. It may seem like cybercriminals are always one step ahead.
But the last thing you can afford to be is jaded. And why would you be, when security awareness can actually be, well, really fun? Yep, even for you.
So, in this blog, we tackle the burning questions many cyber pros ask themselves as October approaches:
Why is Cybersecurity Awareness Month important?
How can I make it impactful and drive meaningful change?
How can I ensure awareness of cybersecurity risks and promote self-protection?
What mistakes should I avoid for a successful Cybersecurity Awareness Month?
How can I engage and inspire others about cybersecurity?
How does behavioral science apply to leading a successful CAM?
How do I tailor messages to different audiences and knowledge levels?
How can I use social influence to foster a strong security culture?
How can I make the consequences of security breaches tangible and relevant?
Does gamification, positive reinforcement, and autonomy actually boost engagement?
Cybersecurity Awareness Month is your chance to make a difference. And this guide is about to make it easy. Successful. And yes, fun.
Why is Cybersecurity Awareness Month important?
There are tons of reasons why cybersecurity awareness is important. Here are some of the biggest ones:
Cyber attacks are on the rise. The number of cyber attacks has been increasing in recent years, and the cost of these attacks is also on the up. In 2021, IBM said the average cost of a data breach was $4.24 million.
The human factor is a major security risk. Even the most secure systems can be compromised by human error.
Cybersecurity needs everyone’s support. It’s not just cybersecurity and IT professionals. Everyone has a role in protecting their organizations and themselves.
You and your team may have overall responsibility for protecting your organization.
But you can’t do it alone.
Yes, your role is crucial, but everyone’s a potential target for cyberattacks. We’re all just a few clicks away from the misery of a cyber attack, facing risks like stress, identity theft, and financial losses.
Additionally, cyberattacks can have broader societal impacts. They disrupt essential services like power, water, and transportation.
That’s why it’s important for everyone to be aware of cybersecurity risks and to take steps to protect themselves…and their organization.
How to harness behavioral science for a stellar CAM campaign
CAM is your golden opportunity to enhance your people’s understanding of cyber threats and foster a security-conscious culture.
To truly make CAM count, it pays to tap into the power of psychology and human behavior. (Not to brag, but if anyone knows, it’s us. Because human-centric cybersecurity solutions is what we do, day in, day out.)
By understanding how people think, make decisions, and respond, you can design strategies for meaningful change.
So, here’s a rundown of some little nuggets of psychology. And how they can help you make the most of CAM within your organization.
Call out human uniqueness
People are susceptible to cognitive biases and social engineering tactics.
For example, the availability heuristic leads us to overestimate the likelihood of events that are easily recalled. This can make us more likely to fall for phishing emails that reference recent news events.
The bandwagon effect also leads us to conform to the behavior of others. This can make us more likely to click on a link in an email if we see that other people have already clicked on it.
To address these vulnerabilities, CAM campaigns should tailor messages to address specific biases and highlight common tactics.
For example, a campaign could remind people to be wary of emails that reference recent news events. Or it could explain how the bandwagon effect can lead us to make poor decisions.
Tailoring messages to different audiences
Not everybody has the same level of knowledge or engagement with cybersecurity. (You may have noticed.)
CAM campaigns should segment people and tailor messages accordingly.
For example, a campaign could provide more complex information for tech professionals to get their teeth into. Meanwhile, it could stick to more general content for less technical roles.
Highlighting immediate consequences
People tend to prioritize short-term outcomes over long-term consequences.
So, CAM campaigns should highlight the short-term consequences of a security breach. For example, a campaign could emphasize the fallout of a phishing attack, from financial loss, to reputational damage, to personal data exposure.
Gamification and positive reinforcement
Incorporating elements of gamification and positive reinforcement can boost people’s engagement.
Interactive quizzes, challenges, and reward systems can make the learning process enjoyable and encourage participation. This keeps people engaged and motivated to learn about cybersecurity.
Empowering autonomy and ownership
People have a fundamental need for autonomy and a sense of ownership.
CAM campaigns should offer training opportunities and provide access to security resources. They should encourage people to report suspicious activities too.
This empowers people and lets them take ownership of their own cybersecurity. It makes them far more likely to report suspicious activity.
Ongoing reinforcement
Psychology tells us that information is forgotten over time if not reinforced.
Provide ongoing reinforcement and refreshers throughout the year. Keep on top of regular reminders via newsletters, simulated phishing exercises, and continuous training opportunities. It all helps keep cybersecurity top of mind.
47 activity ideas for Cybersecurity Awareness Month 2023
Your brain’s probably already bursting with ideas, but it’d be remiss of us not to spill some of our favorite ideas. So here are a few activity ideas to ignite your CAM campaign:
1. Host a cybersecurity lunch and learn.
2. Run a cybersecurity meme contest.
3. Create a cybersecurity public service announcement.
4. Create a cybersecurity-themed video to share on social media and other channels.
5. Recruit cybersecurity champions from each department and hold your first meeting (good snacks are a must, obvs).
6. Make a video answering the most common cybersecurity FAQs in your organization.
7. Use the CAM spotlight to launch a new cybersecurity awareness training program.
8. Get loud on your organization’s website, intranet, and other channels.
9. Encourage your team (and any cybersecurity champions) to take to social media to share cybersecurity tips and resources.
10. October’s spooky, so challenge people to write short cyber horror stories, highlighting the hair-raising effects of cyber crimes.
11. Incorporate cybersecurity into your onboarding process—or review it if it’s already there.
12. Create a cybersecurity-themed escape room, with a prize for the team that completes it in the shortest time.
13. Organize a cybersecurity-themed scavenger hunt. It can even be online if you have multiple locations or remote working.
14. Create a cybersecurity-themed board game. Leave it in the lunch room.
15. Publish a cybersecurity-themed comic book or graphic novel. It can be digital to keep costs down if your budget is tight.
16. If your organization has a podcast, create some cybersecurity-themed episodes.
17. Host a cybersecurity-themed webinar or online event.
18. Do a cybersecurity takeover for your blog or newsletter.
19. Develop a cybersecurity-themed toolkit or resource guide.
20. Assign a cybersecurity mentor to new starters to provide one-on-one support and guidance.
21. Make cybersecurity part of the performance review process.
22. Run a cybersecurity team quiz at the end of the month, where people can test their knowledge and get competitive.
23. Introduce cybersecurity office hours, where you or a team member are readily available for people to come and ask questions or raise concerns.
24. Collaborate with the canteen to offer cybersecurity-themed menus for a week. Use creative names tied to cybersecurity concepts. Balti-factor authentication, anyone?
25. Encourage people to take “security selfies”, where they showcase good practices such as locking their screens when away from their desk, or using strong passwords.
26. Organize a game where participants test their wits against a hypothetical hacking challenge.
27. Share daily cybersecurity tips throughout the month.
28. Set up a live attack simulation game, where participants learn about security vulnerabilities.
29. Extend awareness to people’s families by hosting a drop-in day for loved ones to stop by and set up their personal devices securely.
30. Tailored presentations hosted by senior leaders, given to their respective teams, emphasizing key messages and risks.
31. Interactive sessions showcasing real risks, like password cracking or love-themed examples, to demonstrate potential vulnerabilities.
32. Suggest on-topic movies like The Net (1995) and encourage people to identify security issues while watching.
33. Introduce the security team through a video to make them more approachable for questions and concerns.
34. Invite guest speakers to share insights on cyber threats and prevention.
35. Organize a dedicated whole day for security awareness, featuring workshops, sessions, and presentations focused on different aspects of cybersecurity.
36. Host an open-source intelligence (OSINT) workshop to educate people about the risks of oversharing personal information online.
37. Myth-busting sessions to squash common cybersecurity misconceptions.
38. Encourage people to customize their video call backgrounds with cybersecurity messages and images.
39. Swag like t-shirts, mugs, or stickers to create a sense of belonging and enthusiasm.
40. Appoint cybersecurity ambassadors from different departments to help promote awareness and to answer questions.
41. Recognize people’s participation with badges, certificates, or email signature badges.
42. Incorporate a range of themes into your activities, from tech-centric topics to those focusing on the wellbeing aspect of cybersecurity.
43. Activities that encourage people to “think like a hacker”.
44. Start a book club focused on cybersecurity literature to encourage continuous learning.
45. Create a promotional video featuring staff members highlighting that cybersecurity is everyone’s responsibility.
46. Develop games that simulate phishing scenarios to help people recognize phishing attacks.
47. Use a storytelling approach, with daily themes like physical security, phishing, ransomware, and business continuity.
You know best what will work in your organization. And you’re more than capable of choosing activities that fit your organization’s needs, while engaging your people. You have the power!
What mistakes should I avoid for a successful Cybersecurity Awareness Month?
Let’s be real: Heaps of options doesn’t mean you can’t get it wrong. And while we applaud experimental and innovative approaches, we can learn plenty from the experiences of others. Our incredible SebDB community put their heads together recently, and they came up with a list of lessons learned from past CAMs.
You can use it to plan a pitfall-free educational extravaganza. Or, if people’s reaction to your efforts is more facepalm than fist-bump, maybe you can spot what went wrong and do it differently next time.
Mistake #1: Procrastination on the prep: Delaying getting started can lead to rushed plans and missed opportunities for impact. Start working on your plan early, ideally around January.
Mistake #2: Overcomplicating the approach: It’s natural to want to build on past years’ content and cover lots of ground. But if you make it too complex you’ll lose people. Don’t be afraid to reuse content from the past. Quality, not quantity.
Mistake #3: Assuming people already know a lot: Just because people have been taught how to stay safe, it doesn’t mean they remember and are doing it. Start from the beginning. Be thorough. Avoid gaps in understanding.
Mistake #4: Underestimating the importance of budget: It’s so easy to neglect proper budget planning for your CAM. But having enough money makes sure you can amplify the impact of your activities and help you deliver an engaging experience. Money matters.
Mistake #5: Not making it fun! Yes, cybersecurity’s a serious issue. But talking about it doesn’t have to be. An enjoyable learning experience is a memorable learning experience.
If you sidestep these hurdles and sprinkle some behavioral science, creativity, and innovation into your cybersecurity awareness campaigns, you’ll be galloping your way to success.
Let’s look at some organizations who did just that, and really raised the bar.
Creative CAM campaigns that made a splash
There have been many inventive CAM campaigns over the years, but here are a few of CybSafe’s favorites:
- The University of California, Berkeley created a Cybersecurity Scavenger Hunt that challenged students to find hidden security vulnerabilities on campus. We love how they used gamification to make it fun and engaging for students to learn about cybersecurity risks. This taps into the psychology of motivation, as people are more likely to learn and retain information when they’re having fun.
- The City of San Francisco created a cybersecurity comic book that told the story of a group of hackers who try to steal the city’s data. This was a creative way to reach out to a younger audience and teach them about cybersecurity risks. This uses narrative persuasion, which is a powerful way to communicate information because it appeals to our emotions and helps us to understand complex concepts.
- The National Cybersecurity Alliance created a cybersecurity selfie challenge that encouraged people to take selfies with cybersecurity messages. This was a fun and social way to raise awareness of cybersecurity risks. This uses social proof, which is the tendency for people to follow the lead of others. When we see that other people are taking selfies with cybersecurity messages, we’re more likely to do the same.
- The University of Texas at Austin created a cybersecurity escape room that challenged students to solve puzzles and find clues in order to escape from a locked room. This was a fun and interactive way to teach students about cybersecurity risks. This uses experiential learning, which is a type of learning that occurs when we actively participate in an activity. This type of learning is often more effective than traditional forms of learning, such as reading or listening to lectures.
- The Seattle Public Library created a cybersecurity trivia night that challenged people to answer questions about cybersecurity. This was a fun and social way to raise awareness of cybersecurity risks. This uses gamification, which is the use of game-like elements in non-game contexts. Gamification can be a great way to make learning more fun and engaging.
- Capital One created a cybersecurity training arcade that allowed employees to learn about cybersecurity risks in a fun and interactive way. This was a great way to engage employees and teach them about phishing, malware, and other cybersecurity threats. This uses operant conditioning, which is a type of learning that occurs when we’re rewarded for our behavior. When employees are rewarded for learning about cybersecurity, they’re more likely to continue learning and practicing safe behaviors.
- Visa created a cybersecurity theater that put on a series of plays about cybersecurity risks. This was a creative way to reach out to a wider audience and teach them about cybersecurity risks. Like the comic book, this used narrative persuasion to great effect.
- The “This is Personal” campaign by the UK government is a powerful campaign that highlights the human cost of cyberattacks. This campaign features real-life stories of people who have been affected by cyberattacks. It’s been praised for its emotional impact. This uses emotional appeals, which are a powerful way to persuade people because they appeal to our emotions.
These are just a few of the many inventive CAM campaigns that have tickled our fancy. They demonstrate the power of creativity and innovation in raising awareness of cybersecurity risks.
But creativity and innovation aren’t the only ingredients for a successful CAM campaign. You also need the right resources.
The security awareness toolkit: must-have free resources to boost your Cybersecurity Awareness Month campaigns
Here at CybSafe, we take pride in our science-based, expert-led approach to cybersecurity. It’s been proven to be highly effective in helping organizations reduce their risk of cyberattacks.
And, frankly, this is stuff that’s too good not to share. So we’re dropping the link here because we know they’ll help you smash cybersecurity resilience not just in October, but all year round.
Security Awareness Engagement Taxonomy
A collection of 30+ approaches to boost security awareness engagement created by our Science & Research team, supported by security professionals in the SebDB Community.
Organized by cost, tactic type, and effort, it helps you use best practice methods to ensure everyone understands how important they are in keeping your organization secure.
Free, accredited security awareness training modules
Get a flavor of how we do it here at CybSafe. Exclusive to the toolkit, we’re giving you access to FIVE modules from our platform, for free!
Passphrases
Are your people still using weak, easily guessed passphrases? (Spoiler: Yep.) This module can help to change that!
Protecting your devices
Your people are your biggest target for cybercriminals. And the more devices they use, the better it is for the bad guys.
This device security module will help you keep your people’s devices safe from malware, phishing attacks, and other threats.
Spotting fake emails, featuring James Linton
Phishing emails are a major threat to businesses of all sizes.
That’s why we collaborated with expert James Linton, social engineer and email prankster extraordinaire. This is a module that’ll make your people into laser-eyed fake-email-spotting pros.
Sophisticated attacks
We know cybercriminals are constantly evolving their attacks.
This module will help get your people prepared for anything. They’ll know how to identify and defend against the latest threats. Costly cyber incident averted!
Are you really a target?
Everyone is a potential target for cybercrime.
But this module enables people to assess their risk and take steps to protect themselves. So you can sleep soundly at night, knowing that your organization is much safer.
Webinar: 30+ proven ways to increase security awareness engagement
Human-related security incidents continue to plague organizations of all kinds.
But ask yourself, how many tactics are you using to drive engagement? If you can count them on one hand, it’s time to put aside an hour to listen to this.
In this on-demand webinar, we asked leading industry voices from Meta, New York Life and Raytheon Technologies to help us identify how to create a culture of security awareness in your organization.
AI’s the Top Priority this Cybersecurity Awareness Month 2023
AI is rapidly evolving and becoming increasingly sophisticated. That means it’s also getting more powerful and dangerous in the hands of cybercriminals.
And with two thirds of people admitting they can’t tell AI-generated text from human-generated text, it’s clear that the average person needs help protecting themselves and their organizations.
In this blog, we look at how AI is being used by cybercriminals to target organizations, the specific AI-related risks to be aware of, and how to educate your people about AI risks without sending them to sleep.
We also provide a comprehensive AI curriculum and some phenomenal resources to help you educate your people.
It’s invaluable for understanding the challenges and opportunities in cybersecurity. It’s full of fascinating insight on people’s awareness, behavior, and attitudes towards cybersecurity.
Before we go, let us say it again: You have the power to make a real difference here. By being smart about your CAM game, you can upgrade your organization’s security posture and inspire people to take steps to protect themselves and your organization.
And we can help too. CybSafe is a leading provider of cybersecurity awareness and training solutions. Our unique approach to human risk management combines scientific research, data-driven insights, and expert-built content. Most importantly, it helps organizations to understand the human factors that contribute to cybersecurity risks—and to develop effective solutions to mitigate these risks.
We believe that people are the key to iron-clad cybersecurity. That’s why our solutions are engaging, educational, and effective. (And frankly, if you haven’t booked a demo yet, what are you doing with your life?)
Chances are your brain is bursting with ideas by now and you’re entering planning mode. We’d love to know how your CAM went down and what you got up to, so feel free to tag us in your socials so we can live vicariously through you.
Here’s to making Cybersecurity Awareness Month 2023 a month to remember.
Harnessing the power of social influence
Human behavior is significantly influenced by social norms and peer pressure.
CAM campaigns should encourage people to share their experiences. Give them opportunities to discuss best practices and recognize positive behavior. This helps to create a culture of cybersecurity awareness and responsibility.