Cybersecurity Awareness Month generates a lot of content and campaigns. It also generates a useful prompt: what concrete steps should your organization take this month?
Here are five actions worth prioritizing in October — chosen because they're high-impact, achievable within a month, and applicable to most organizations regardless of size.
1. Audit Your MFA Coverage
MFA is the single most effective control against credential-based attacks, and yet most organizations have gaps: legacy applications that don't support it, exceptions made for convenience, service accounts with no authentication at all.
Spend an hour this week mapping your MFA coverage. For every application that authenticates employees, ask: is MFA enabled? Is it enforced or optional? What MFA method is used (SMS, authenticator app, hardware key)?
Close the gaps you find. If an application doesn't support modern MFA, that application should be on your replacement roadmap.
2. Run a Phishing Simulation
If you're not running regular phishing simulations, October is the natural time to start. If you are, use October to run a themed simulation — business email compromise, fake invoice from a known vendor, IT credential reset — that reflects the attacks your industry currently faces.
Measure two things: click rate and report rate. Organizations with a strong security culture have low click rates AND high report rates. The report rate is often the more meaningful metric.
3. Test a Backup Restore
This one is uncomfortable because it often reveals problems. Pick a critical system and attempt to restore it from backup this month. Document: how long did it take, did it work, what was the actual data recovery point?
Many organizations discover during this exercise that their backup doesn't work as expected, their recovery time is much longer than acceptable, or their recovery point is older than their RTO requires. It's better to find out in a planned exercise than during an actual incident.
4. Check Your Vendor Agreements
Pull up your list of critical vendors — the ones with access to your data or systems. For each: do you have a current contract? Does it include security requirements? For vendors handling personal data, do you have appropriate data processing agreements? For healthcare data, do you have signed BAAs?
Contracts you haven't looked at in three years often have gaps: no breach notification timeline, no security requirement clauses, no right to audit. October is a good time to identify and start addressing those gaps.
5. Brief Your Leadership Team
Security awareness isn't just for front-line employees. Executives are high-value targets for spear phishing, BEC, and social engineering. Brief your leadership team this month — specifically on the threats that target people at their level.
This doesn't need to be a long meeting. A 20-minute lunch briefing covering BEC patterns, deepfake audio/video impersonation, and what to do if they receive a suspicious request is worth the time.
Making It Stick Beyond October
The value of Awareness Month is using it as a catalyst, not a destination. The organizations that improve their security posture year over year aren't the ones who do something special in October — they're the ones who take October as a starting point for work they sustain through November, December, and beyond.
Pick one of the five actions above and finish it this week. Then pick another. Don't let the month be a planning exercise.