National Cybersecurity Awareness Month - NCSAM - Super Guide (2022)

Travis Good
September 19, 2022

The National Cybersecurity Awareness Month (NCSAM) is a month-long celebration and focus on cybersecurity awareness. The event has been formally declared yearly in the United States since 2004. NCSAM is officially sanctioned by the Cybersecurity and Infrastructure Security Agency (CISA). The goal of NCSAM is to inform, educate, and engage individuals on topics that help keep them safe online.

Companies approach and implement various strategies in support of NCSAM. In almost all cases, companies use NCSAM as an opportunity to promote best practices for security hygiene.

This guide, updated for 2022, was created with the following goals.

  1. Help admins and managers in designing a strategy for NCSAM.
  2. Drill down into the specific NCSAM themes for 2022.
  3. Provide usable examples of content and messaging for NCSAM campaigns.
  4. Inform reporting and success metrics for NCSAM initiatives. 

Why does NCSAM matter?

Not every training discipline has its own month. There is no HIPAA Training Month, certainly not one formally approved and sanctioned by the highest levels of the United States Government. So why does security awareness have its own month?

The one thing people agree on, and the data supports this, is that human behavior and decisions are the leading cause of security incidents and data breaches. This is why security awareness matters, and why we have a National Cybersecurity Awareness Month. 

However, there are several disturbing trends that make human risk the leading cause of security incidents and breaches.

  1. Attacks are easier than ever. There are free and very cheap ($5-$20) software programs available to attackers. These are the equivalent of low code for cyber attackers. The result is a much lower bar in terms of software skills needed for somebody to launch cyber attacks. Additionally, software can help automate these attacks at scale.
  2. Data about people is more available than ever. Data about individuals is easy to find on the Internet. Whether from social media sharing or data aggregators, information about people is widely available. If you extend this to the dark web, there are tons of additional data points, including usernames and passwords available. All of this data makes it easy for attackers to launch targeted attacks.
  3. Users have more on their plates. We all have too many messages to manage — too many emails, Slack messages, LinkedIn messages, on so on. Triaging those messages is hard. As we’re rushing through our various inboxes, it can be easy to make a mistake and click a link in a fake email that look exactly like a real email.

End-users and employees need help making the right decisions and taking the right actions. This is why security awareness matters and why NCSAM is something to embrace and promote.

Goal Setting for NCSAM 2022

No matter how you choose to run your campaign for NCSAM, it is going to require resources. You will need…

  • The NCSAM campaign content.
  • A tool to manage and distribute that content.
  • Your employee's time so they can consume the content.

With resources being used to plan and execute NCSAM, setting clear goals upfront is important. It will also help in getting buy-in from your leadership team (more on that below). Goals, while being highly specific to each company, should be quantifiable within some reasonable timeframe.

Below are several examples of goals for National Cybersecurity Awareness Month.

  • GOAL: Engage with > 50% of employees each week on NCSAM DATA: Metrics for viewing, rating, or reacting to NCSAM content
  • GOAL: Improve employee ability to spot fake links by 25%. DATA: Conduct a URL / link quiz before NCSAM and after
  • GOAL: Receive positive overall sentiment from employees for NCSAM. DATAS: Conduct surveys, ideally weekly, on NCSAM experience.

NCSAM 2022 Theme

Each year, National Cybersecurity Awareness Month has a theme. There is both an overall theme for the month and 4 sub-themes, or specific topics, within the month.

Security awareness is a broad category. Content can be presented with different filters and perspectives. The NCSAM theme and sub-themes help drive consistency in messaging.

CISA encourages practitioners to create their own campaigns and messaging for NCSAM based on the themes and sub-themes for the year.

Overall Theme for NCSAM 2022

The overall theme for NCSAM 2022 is See Yourself in Cyber. The goal is to drive awareness of the role of individuals, or end users, in the overall cybersecurity landscape. To accomplish this,  highly technical topics need to be distilled down into teachable moments that are actionable for users to defend themselves, their accounts, their devices, and their data.

Ideally, these teachable moments should help build a security mindset whether in an office, working from home, or with their families.

Sub-themes for NCSAM 2022

Historically, there have been weekly themes for National Cybersecurity Awareness Month. This year, these sub-themes are topics that CISA wants companies to focus on. Below are the 4 sub-themes for this year. We’ve also provided sample training and engagement messages to go along with these themes.

Sub-Theme 1: Enabling Multi-Factor Authentication (MFA)

Multi-factor authentication is one of the single most important steps users can take to secure their accounts. It’s also increasingly simple to implement using mobile devices and hardware keys. Employees should be using MFA on all of their accounts, not just company accounts.

Sample MFA Training Message

⚡ Multi-factor authentication (MFA) is the simplest and most powerful way to secure your accounts.

You should use MFA on all of your accounts if they allow you to enable it. Your administrator may require the use of MFA with certain tools.

There are three types of MFA 1️⃣ 2️⃣ 3️⃣

  1. SMS - text message codes for MFA (the least secure method)
  2. Software - apps like Duo. Auth0, and Google Authenticator
  3. Hardware - unique physical devices like Yubikey

👆The above list is ordered from least secure to most secure. However, using any form of MFA is better than using no form of MFA.

Sub-Theme 2: Use Strong Passwords

Passwords still play a huge role in cybersecurity. Unfortunately, weak passwords are still a common occurrence. Many users will reuse passwords across accounts, including personal and business accounts. These reused passwords show up in public data breaches.

Engaging users on the importance of strong passwords and strategies they can use to create strong passwords benefits both your employees and your company.

Sample Strong Password Training Message

🤯 You have hundreds of online accounts. Almost all of them require a password. This is not just for work. It’s also your personal accounts.

🦹 The problem is, there’s a near 100% likelihood that some of your passwords will be, or likely already have been, in a breach. When these breaches happen, millions of account usernames and passwords are published online. Cybercriminals can use these breached passwords to launch attacks.

❓ What can you do? …☝️Use a password manager! With a password manager, you can…

1️⃣ Generate unique and random passwords for each of your accounts;

2️⃣ Store those unique passwords securely; and

3️⃣ Auto-fill those unique passwords across websites and apps.

👉 Use a password manager!

Sample Strong Password Training Message

💭 Can you guess the most common passwords people use?

If you said “123456” or “password”, you’d be right ⭐

🦹‍♀️ When data breaches happen, passwords are often involved. Those passwords are then made available in databases on the dark web. Attackers use them for brute force attacks.

Analyzing close to 300 million real passwords that have been breached, the most common passwords are consistent over the years. There is a clear trend. Passwords often involve sequences of numbers and the word “password”.

Have you used any of these common forms of passwords? Most of us have. Using these common passwords makes an attacker’s job trivial.

🎗 Now that you know the common passwords, let’s buck the trend and not use easy-to-guess passwords.

Sub-Theme 3: Recognizing and Reporting Phishing

Phishing is still the most common form of attack against users. The goal of this sub-theme is to help instill a security mindset so employees remain vigilant about messages containing links, typos, strange email address and attachments.

When users suspect phishing messages, they should report those messages to reduce the risk of attacks against other people.

Sample Phishing Training Message

🎣 Phishing is when cyber attackers send fake emails to trick users into taking some type of action. Phishing is usually done through email.

🐟 🔗 The most common type of phishing attack is sending a fake link in an email. That link takes a user to a fake website and asks the user to enter their information such as username and password.

Email software detects most phishing attacks but some will end up in your email inbox. You should be careful with any links you get in an email. Here are a few tips to spot a phishing attempt:

1️⃣ Hover over the link and inspect the entire URL.

2️⃣ Look at the entire email address of the sender.

3️⃣ Think about the context of the email (is a link what you expect to get).

4️⃣ Look for grammatical and spelling errors.

Sample Phishing Training Message

🔗 Links to fake websites are a super common way to scam you. Fake links can come in email, text, social networks, forums, or anywhere else text can be seen or sent.

🤯 It can be challenging to tell if a link is a scam or not. Attackers get creative and use domain names that look a lot like real domains but with minor misspellings or modifications.

When you get a link, even from somebody you know, you should slow down and hover over the link before you click it.

🕴️Hovering will show you the entire link, even if the link is in an image or a button. Take a few seconds to look at the link, including the end of it (.com vs .co vs etc.):

  • Is this the domain name of the company in question?
  • Is it spelled correctly?

🐢 Take your time. If in doubt, do not click the link.

Sample Phishing Training Message

💬 Have you received fake messages via text?

You likely have as this is a form of attack has grown increasingly popular. Look out for strange and random text messages from companies — things like billing problems with Netflix or awards from AT&T.

The same rules apply to text messaging scams, called smishing, as other scams like email:

1️⃣ Look at where the message is coming from (even though it’s text, it may be a domain).

2️⃣ Check any links to see where they go (do not click on them).

3️⃣ Check the grammar and spelling.

4️⃣ Is it urgent or playing to human psychology (like fear)?

5️⃣ Do not open attachments as it’s incredibly unlikely a company would text you a file.

👉 These smishing attacks are often easier to detect but the risk from them is the same as with traditional phishing attacks.

Sub-Theme 4: Update your Software

Keeping device software and app software up to date is a good way to stay ahead of cyber attackers. Many cyber attacks use known vulnerabilities in outdated software to gain unauthorized access machines and software services. These software vulnerabilities can exist on smartphones, computers, or IoT devices.

Sample Software Update Training Message

Software updates are not just for new features and emoji packs 😮‍💨

👉 When vulnerabilities are discovered, software vendors write updates to fix them. You should install official software updates because they often fix vulnerabilities.

This applies to ALL of your devices:

  1. Mobile and desktop operating systems 💻
  2. Mobile and desktop apps 📱
  3. Smart devices software (IoT devices) 📺

On your phone and computer, you have options to be notified of software updates or to have software updates installed automatically (typically overnight).

NCSAM Talking points

Most people haven’t heard of National Cybersecurity Awareness Month. They do not have any background or context for it. As such, getting buy-in both from company leadership as well as from employees is essential if you want to have a successful National Cybersecurity Awareness Month.

Messaging up: Leadership Buy-in

Buy-in from leadership is one of the key factors to having a successful NCSAM. Ideally, leadership would not just sanction the activities of NCSAM but somehow participate or lend weight to the activities.

Talking Points to Leadership about NCSAM

  • National Cybersecurity Awareness Month (NCSAM) is a US Government sanctioned initiative to drive end user knowledge about cybersecurity threats.
  • NCSAM has been an annual event since 2004.
  • End user actions and decisions remain the number one risk for security incidents.
  • The theme for NCSAM in 2022 is “see yourself in cyber”, which means to show end users, our employees, how to protect themselves from cyber threats and scams.
  • NCSAM is complementary to our other efforts around security awareness.

Employee Engagement

Employees are busy, and often can’t fully appreciate the important role they play in the security of company systems and data without continuous reminders of the fact. That’s why this year’s NCSAM theme — see yourself in cyber — is such a powerful message.

If your employees are going to be getting messages throughout the month, you want to introduce them to NCSAM upfront so they understand the goals.

Message Introducing NCSAM to Your Company

October is National Cybersecurity Awareness Month, or NCSAM. NCSAM is a US Government sanctioned initiative that has been in existence since 2004. The goal of NCSAM is to deliver messages to help you protect the security of your accounts and the privacy of your data.

Throughout the month, you will receive regular messages focused on your role in cybersecurity, both at work and at home. If you have any questions or concerns, please reach out to your manager or our security awareness team.

Quantify and report on NCSAM

We covered goal setting above. Goals for NCSAM vary by company. The data required to assess and report on those goals also varies. We gave three example goals, and corresponding data required to assess them, in the above section. This is by no means an exhaustive list of goals for NCSAM but are a good starting point.

Here the most important things to remember with settings goals for NCSAM:

  • Successful goal setting means setting goals up front.
  • Goals should be quantitative (the three examples we provide are all quantitative goals).
  • You should communicate your goals to both leadership and to the company at large.
  • You want the data required to measure progress towards your goals built into the overall NCSAM strategy.

Closing the loop on reporting and the outcomes of NCSAM is something that should be done pretty soon after NCSAM ends, usually by mid-November. One thing we see is that the results of NCSAM are often only shared with leadership and not with all employees. Since NCSAM is company-wide and touches all employees, being transparent about the outcomes will:

  1. …build trust and affinity in the security team and;
  2. …increase the odds of success of NCSAM in subsequent years.

Haekka NCSAM 2022 Stream

We’ve crafted a complete campaign for NCSAM. This campaign provides messages for the NCSAM theme and sub-themes, along with tailored engagement and educational messages. We encourage you to use this as is or customize for your company; if you’re interested in subscribing to all of this content in Slack, we offer this complete campaign as an NCSAM Stream.

Admin Content

We provide admins and managers with resources to drive new initiatives and ensure alignment with overarching goals for NCSAM.

  • NCSAM complete guide in September inclusive of:
  • Content guides
  • Social media guides
  • Talking points templates
  • Fully editable training content with option to send or skip any message
  • All content is 30-90 seconds in length
  • NCSAM report in November with quantifiable engagement metrics

Week 1

The focus is on why MFA is important and how easy it is to do across all of your services.

Engagements:

  • Monday: intro to NCSAM and overview of themes
  • Wednesday: what is MFA and why use it (includes animated video)
  • Friday: real-world scenario of MFA use and value

Week 2

The focus is on what is a strong password and how password managers help ensure you create and use strong passwords

Engagements:

  • Monday: MFA recap and intro to weekly theme (the “why” for strong passwords)
  • Wednesday: what is a strong password (includes animated video)
  • Friday: how password managers enable strong password usage
  • Strong password game (in Slack)

Week 3

The focus is on updating software to patch vulnerabilities and how to enable updates.

Engagements:

  • Monday: password recap and intro to weekly theme (why updating all devices matters)
  • Wednesday: updating software means all software (includes animated video)
  • Friday: real-world scenario of vulnerabilities from not updating software

Week 4

The focus is on the scale of phishing and basic rules that work no matter the phishing attack

Engagements:

  • Monday: software updates recap and intro to weekly theme (the scale of phishing)
  • Wednesday: what is phishing and how to report it (includes animated video)
  • Friday: phishing game (in Slack)
  • Real or fake URL game (in Slack)

Week 5 (Bonus Week)

This is just a recap, thank you to participants, and reminder that cybersecurity matters all year and not just during NCSAM

Engagements:

  • Monday: short recap with thank you, reasons why NCSAM matters, and that cybersecurity is important all year long
  • NCSAM feedback survey

—-

Want to give Haekka at try? We’ll ensure you have what you need to have a successful NCSAM - talking points, fully customizable thematic messages in Slack, measurement and reporting of outcomes and engagement. Schedule a demo today.