CISA's theme for Cybersecurity Awareness Month 2025 reflects the current threat environment: AI is reshaping both how attacks are launched and how defenses work. For organizations building or strengthening their security programs, October is a useful forcing function to evaluate how AI-driven threats change your risk posture.
Here's a practical month agenda.
Week 1: Assess Your AI Threat Exposure
AI-enhanced attacks have moved from theoretical to operational. This week, honestly assess where AI-enabled threats affect your organization:
Phishing and communication attacks. AI-generated phishing content is now indistinguishable from human-written content in many cases. AI voice cloning makes vishing credible at scale. Do your current training and technical controls account for AI-quality attacks, or are they calibrated for cruder, earlier phishing?
Deepfake exposure. Which of your processes could be manipulated by convincing audio or video impersonation of executives or known individuals? Wire transfers, executive approvals, media interviews — map where deepfake risk intersects with your business.
AI tool usage. What AI tools are your employees using, and what data is going into them? Do you have a policy governing AI tool use, and is it current with the tools actually in use?
Week 2: Address Your Highest-Risk AI Gap
Pick the highest-risk gap identified in Week 1 and address it this week.
If the gap is verification processes for financial transactions: implement a call-back verification requirement using a number from your internal directory (not the number provided in the request) for any wire transfer or payment change request. This one process prevents most BEC and AI-impersonation fraud.
If the gap is deepfake awareness among executives: run a brief briefing with your leadership team specifically on what deepfake attacks look like today and what the organizational verification procedures are.
If the gap is AI acceptable use: draft and publish a policy that defines which AI tools are approved, what data categories are acceptable to use with each, and what's prohibited.
Week 3: Technical Controls Audit
Spend Week 3 on a targeted technical audit of controls most relevant to the current threat landscape.
Identity controls. Is MFA enforced everywhere? Have you reviewed phishing-resistant MFA options (FIDO2/passkeys) for your highest-value accounts? Have you implemented any identity threat detection to catch anomalous access patterns?
Email security. Is DMARC at p=reject or p=quarantine? Are you running an email security gateway that filters AI-generated phishing (which requires behavioral detection, not just signature matching)?
Conditional access. Are your conditional access policies blocking access from unknown devices, unusual locations, or anomalous patterns?
Week 4: Communicate and Plan
The final week is for communicating what you've done and planning what comes next.
Team communication. Brief your organization on the AI threat landscape in terms they can act on. Not technical details — practical guidance: how to verify suspicious communications, what to do if you receive a wire transfer request or an unusual executive instruction, how to report something suspicious.
2026 planning. Use October's forced reflection to define your security priorities for the coming year. Where are your biggest gaps? What's the highest-ROI investment you could make? What resources do you need that you don't have?
The Broader Point
Cybersecurity Awareness Month is useful primarily as a catalyst. The organizations that improve their security posture year over year don't do it because of an October campaign — they do it because security is a sustained organizational priority.
Use October to start or accelerate something, not to check a compliance box. The best outcome of this month is a specific, concrete commitment to a security improvement that happens before December 31.