What are the lessons of Cybersecurity Awareness Month?

Has Cybersecurity Awareness Month actually done any good?

It’s a question worth exploring with Cybersecurity Awareness Month now in its second decade. In an era when cybercriminals are continually ramping up their attacks, the educated technology user is still the best line of defense.

But knowing and doing are not the same thing. While some metrics point to users being more aware of good cybersecurity practices, others show that some — from surprising cohorts — just don’t care enough to follow them.

Will the messaging of Cybersecurity Awareness Month ever evolve beyond “watch where you click?” And what can businesses do to improve cybersecurity behavior among their employees? The answers go beyond mere awareness.

Cybersecurity Tribe featured a quote from an anonymous CISO in October 2023 that sums up the questionable value of Cybersecurity Awareness Month: “[W]e are still making the same stupid mistakes we were 20 years ago.”

But how true is that assessment? In terms of knowledge, Americans, at least, have made some progress. In 2023, Pew Research found that 87% of Americans could identify the most secure password out of a list of four. Two-thirds knew why cookies exist. And nearly half could identify an example of two-factor authentication from a set of images.

Back in 2019, Pew found that only 28% of respondents could identify two-factor authentication, although roughly the same number — 63 percent — knew the purpose cookies served. So, a few Cybersecurity Awareness Months in the early 2020s seem to have done some good.

However, perhaps more importantly, one key global statistic shows positive progress: The percentage of data breaches that involved the “human element” — generally, something like a user clicking on a malicious link. In 2022, the Verizon Data Breach Investigations Report found that the human element was present in 82% of breaches worldwide. In 2023, the number was 74%. In the 2024 report, it dropped to 68%.

All of that is encouraging, right? As the anonymous CISO suggested, cybersecurity awareness — or, perhaps more appropriately, behavior — still has a long way to go.

Take, for instance, multifactor authentication (MFA), a fairly simple but generally effective cyberattack deterrent. Back 2022, a report from a study by the Cyber Readiness Institute found that 54% of MSPs had not implemented MFA. That number might have shrunk now that a couple more Cybersecurity Awareness Months have passed.

Then there are passwords, which remain an area of cybersecurity many users just simply can’t or won’t handle. The very first in a Google list of six cybersecurity mistakes to avoid is “using the same password everywhere.”

But what do many users do? Security.org found that about one in five use the same few passwords on all their accounts, and almost 30% use the master password for their password manager on other accounts (a bad practice). That 30% number for 2023 is up from 19% in 2021. Furthermore, a quarter of users store passwords in (unsecured) notes on their computers or mobile devices. That metric was unchanged from 2022 to 2023.

Part of what security awareness training is supposed to do is put an end to the aforementioned bad habits. And it does undoubtedly help. But training itself isn’t the issue. It’s what users choose or choose not to do with it.

For example, the National Cybersecurity Alliance found that the users with the most access to security training generally displayed the worst online behaviors — and suffered the largest percentage of cyberattacks. Consider this fairly damning paragraph from the Alliance’s findings, which covered the U.S., U.K., Canada, Germany, France and New Zealand:

“Astonishingly, 43% of Gen Z’s and 36% of millennials reported being victims of cybercrimes, significantly more than the silent generation (20%) and baby boomers (15%) who lack access to formal cybersecurity training. At the same time, these digital natives are twice as likely to disagree with the idea that security is worth the effort. This is reflected in their cyber habits, with half of Gen Z and 41% of millennials admitting to using personal information like names of family members or pets, dates and places when creating passwords.”

Many younger users who should know better just aren’t bothering to follow good cybersecurity practices. Perhaps tellingly, 39% of respondents to the Alliance’s survey said they were frustrated about the process of staying secure online, and 37% found it intimidating.

It’s no secret that practicing good cybersecurity habits is painful for many users. And MFA adds an extra step for users to access critical information. But every email is a potential electronic land mine and must be treated as such. Even formerly reliable methods of communication, such as the telephone or a video call, are potential vectors for deep fakes. It’s enough to make many users to give up and let whatever happens happen.

Of course, that’s not an option either for them or your business. Practicing good cyber hygiene is critical, and employees need to know just how critical it is. Training is useful — and necessary — but it shouldn’t stand alone. After all, a lot of employees breeze through training as quickly as possible, no matter what the topic is.

Employers need to create a culture of cybersecurity that includes but also goes beyond security awareness training. A few basic practices can help:

Let employees know the real consequences of a cyberattack

Scary numbers and far-away cyberattack stories quickly produce diminishing returns for users. Business owners and IT leaders need to let employees know that cybersecurity is everybody’s responsibility and that a cyberattack could do enough damage to reduce or even eliminate jobs and salaries.

This isn’t about threatening to fire employees who fall victim to attacks. Rather, it’s about letting every employee know that a cyberattack can shut down a whole business, sometimes for good. Their jobs are on the line every day. When that’s the case, going through MFA or coming up with a unique password might not seem like such a chore.

Talk openly about cybersecurity every day

Nobody wants to be the secret police reporting on employees who don’t close and lock their laptops before they leave their desks. That’s not what this tip is about. The idea is to make cybersecurity part of everyday conversations, including team meetings, one-on-one meetings with managers and even company-wide meetings.

You don’t need to lecture or berate employees about keeping good cybersecurity hygiene. Remind them how important cybersecurity is and how you’re all part of the effort to stay safe online together. It’s a team exercise the way so many others in the workplace are, and everybody needs to participate for the good of the group. Frame good cybersecurity as a positive practice rather than as hurdle to getting online. Take and answer questions. Encourage curiosity and feedback.

Lead by example

Nobody needs to know your password, obviously. But business and IT leaders in organizations can still practice good cybersecurity hygiene in public. Use MFA in meetings when you can. Send warnings about suspicious emails when you receive them (but don’t forward them, of course). Provide a password wallet for users and train them on how to use it.

It's critical to show that cybersecurity isn’t just IT’s job; it’s everybody’s responsibility, from the CEO to summer interns. Do everything you can to publicly demonstrate and discuss your own commitment to cybersecurity and to encourage others to do the same. Again, the idea is not to set up a police state but to foster a sense of purpose and teamwork.

Have the right technology in place

Despite your best efforts and those of your employees, risks will persist. Cyber attackers are increasing their level of sophistication all the time, aided by AI, and ramping up the frequency and number or attacks.

Embrace cybersecurity awareness training. It’s not a cure all for maintaining a culture of cybersecurity when deployed in a vacuum, but it is a completely necessary element for any organization that wants to strengthen its cyber defenses. Used wisely, it forms a solid foundation for building a culture of cybersecurity.

Security awareness training doesn’t have to be difficult to implement; in fact, you can use software to automate and schedule training. And you can use it to constantly remind employees of good cyber hygiene. The key is to think of training as a core element of a broader security culture.

You still need cybersecurity technology that will protect and back up your data in case the worst-case scenario occurs. Acronis provides complete protection for MSPs and their clients with Acronis Cyber Protect Cloud and for businesses with Acronis Cyber Protect.

In terms of generating measurable results, Cybersecurity Awareness Month remains a work in progress. But global trends aren’t important for your business. What is important is how your employees behave online, and you can do a lot to move them in the right direction.