Every October, the security industry marks Cybersecurity Awareness Month — a campaign started by the Cybersecurity and Infrastructure Security Agency (CISA) in 2004 to promote cybersecurity awareness. The hashtag campaigns and branded content aren't for everyone, but the underlying prompt is legitimate: use this month as a concrete reason to do the security work you've been deferring.
Here's how to make October count for your organization.
Week 1: Assess Where You Are
You can't improve what you don't understand. Spend the first week of October getting clear on your current security posture.
If you've never done a formal risk assessment, now is the time to start. At minimum, answer these questions: What are your most critical systems and data? What are the realistic threats to those assets? What controls do you have in place, and do you have confidence they're working?
If you have a recent assessment, review the findings and honestly evaluate what's been remediated versus what's still open.
Week 2: Run Employee Training
Your employees are both your biggest risk and one of your most effective defenses. Awareness Month is a natural time to run a company-wide security training initiative.
Make it relevant to their actual work, not generic compliance-check content. Focus on:
- Recognizing phishing in the context of the tools they actually use
- How to report suspicious activity
- Password hygiene and MFA
Consider pairing training with a phishing simulation — baseline click rates before training, then measure improvement. Use failed simulations as learning moments, not shame triggers.
Week 3: Test a Control
Pick one critical control and test it. Options:
Test your backup restore process. When did you last verify that your backups actually restore? Attempt a full restore of a critical system and document what you find.
Run a tabletop incident response exercise. Walk your leadership team through a ransomware scenario. Who does what? Who makes decisions? What's the communication plan?
Audit privileged access. Who has admin rights in your environment? Is every account justified? Are there terminated employees still in the system?
Testing reveals gaps that documentation doesn't.
Week 4: Plan for the Next Year
Security programs that improve do so because someone is thinking about them systematically. Use the last week of October to define your security priorities for the coming year.
What are your top three security risks? What's the plan to address them? Who owns each initiative? What does success look like, and how will you measure it?
Document this and present it to leadership. Security programs with executive visibility get the resources they need to make progress.
The Real Goal
Awareness Month isn't the point — it's a vehicle. The goal is a security program that operates year-round, improves continuously, and genuinely reduces risk. Use October as the catalyst to start or accelerate that work, then keep the momentum going through the rest of the year.