Building a Robust National Cybersecurity Awareness Month Program

By Christine Izuakor, PhD, CISSP, CEO, Cyber Pop-up

The month of October tends to generate a lot of buzz amongst the cybersecurity community. It’s National Cybersecurity Awareness Month (NCSAM) – a season when cybersecurity professionals work tirelessly to boost awareness of evolving cyber risks amongst users and the general public.

This is especially important in an era where human-related cyber threats are at an all-time high. From intentionally malicious attackers to unmindful users prone to accidents, these threats can have significant consequences on companies of all sizes. Ongoing high-profile breaches have brought this issue of insider threats into the spotlight. For example, last year, social media giant Twitter fell victim to an unintentional breach caused by an unsuspecting insider threat. In this case, cyber attackers took advantage of the recent remote work trends to conduct one of the most prominent hacks of the year. After impersonating an IT team member, the attackers were able to convince employees to share their account details. The culprits then used this info to log into user’s accounts and change the credentials of several high-profile accounts, including presidents, government officials, and celebrities.

End users sometimes pose the greatest threats to an organization. Quite a few professionals in the security space even argue that these threats are more concerning than external hackers. All of this is a stark reminder that in the hybrid work reality that most companies operate in today, educating employees on cybersecurity best practices is critical to reducing insider threats. Implementing a robust NSCAM program can play a critical role in the process.

What is National Cybersecurity Awareness Month (NCSAM)

Formed by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004, the NCSAM’s purpose is to assist people in becoming safer and more secure in the digital world. When the month first launched, most educational efforts were geared towards basic advice like updating anti-virus and using strong passwords. Though these will likely always remain relevant top is, today, the advice has evolved to focus on what most businesses still struggle with – human and insider-related threats. This includes popular social engineering techniques used by common criminals to infiltrate companies.

Getting the Most Out of National Cybersecurity Awareness Month

Though a robust NCSAM plan won’t solve every cyber challenge in an organization, there are some key risks that are perfect to emphasize for great results during the month. Any risk topics where human beings can make a difference are the topics it’s great to focus on for NCSAM. A few examples include ransomware, forms of social engineering, password hygiene, Wi-Fi insecurity, home office security, and more.

Remember that it’s not enough to send out a communication or post a blog. One-time communications seldom leave a lasting impact on employees. An effective NCSAM plan requires a strategic approach and robust plan that covers key elements unique to the hosting organization and extends throughout October and beyond.

Five tips for a great NCSAM:

  1. The program must be relevant and relatable: Think about your audience and what employees care about. Set your goals for the month and the topics you’ll focus on around what they care about. Also, pay attention to the threats that your company or industry faces the most. Those are great topics to zone in on as well.
  2. Pick an engaging theme: Themes tend to be easier for people to remember. You’ll want the lessons of the month to stick in the minds and hearts of users through awareness month and beyond. Security risks don’t disappear after October. Neither should you messaging. The CISA recommends the following theme for 2021, which can be customized to further meet the needs of the organization:
    1. Week 1: Be Cyber Smart Take simple actions to keep our digital lives secure.
    2. Week 2: Fight the Phish! Learn how to spot and report phishing attempts to prevent ransomware and other malware attacks.
    3. Week 3: Explore. Experience. Share. Commemorate the National Initiative for Cybersecurity Education’s (NICE) Cybersecurity Career Awareness Weekand the global cybersecurity workforce.
    4. Week 4: Cybersecurity First Explore how cybersecurity and staying safe online is increasingly important as we continue to operate virtually in both our work and personal lives.
  3. Get influencers and key leaders on board: Employees love to see leaders involved in these kinds of efforts before engaging. Know that some employees may be unsure of whether it will be “frowned upon” to engage in the NCSAM activities during work hours. It’s important for leaders to show that NCSAM is a priority by being actively and publicly involved in the effort. This applies from the CEO on down.Partnerships also goa long way during NCSAM. Work with other companies in your sector, industry support groups, government agencies, and more to collaborate on content, events, and messaging around NCSAM. This is especially helpful when dealing with a limited budget as costs can be split between groups.
  4. Host virtual and on-site events: Organizingevents where people can actively participate in cybersecurity-related conversations and activities go a long way. In addition, in the remote era, webinars and virtual events are a great option, especially for geographically dispersed teams. During these events, cybersecurity-related giveaway items such as webcam covers, computer stickers with awareness messages, pens, t-shirts, and more can be given away as freebies or prizes that people can win for engaging in NCSAM.Games and prizes offer the ultimate engagement and excitement amongst workgroups. From online quizzes to cybersecurity-themed scavenger hunts, there are plenty of game ideas and prizes that can be planned to get people excited about NCSAM.
  5. Have fun: This one is self-explanatory, and probably the most important. If you’re going to invest time and resources into NCSAM, you’ll want folks to be highly engaged. No one wants to engage in boring content. Employees should be captivated and inspired to care about cybersecurity throughout the month. For example, people have brought fun and humor into cybersecurity conversations like the discussion of passwords on The Ellen Show or the very concerning video shown on Kimmel Live where unsuspecting users unknowingly leak their own passwords. Pull together fun content that applies to your efforts and incorporate this into your NCSAM strategy. Your employees will be entertained and still learn in the process.


Promoting cybersecurity awareness in your organization can reduce human related cyber threats. The most effective entities take a multi-pronged approach to awareness, including a robust NCSAM plan that is fun, relevant, rewarding, and more. Doing so can encourage employees to avoid engaging in potentially high-risk internal behavior and, in turn, thwart future cyber-attacks.



Hot Topics

Related Articles