The National Cybersecurity Awareness Month (NCSAM) is a month-long celebration and focus on cybersecurity awareness. The event has been formally declared yearly in the United States since 2004. NCSAM is officially sanctioned by the Cybersecurity and Infrastructure Security Agency (CISA). The goal of NCSAM is to inform, educate, and engage individuals on topics that help keep them safe online.
Companies approach and implement various strategies in support of NCSAM. In almost all cases, companies use NCSAM as an opportunity to promote best practices for security hygiene.
This guide, updated for 2022, was created with the following goals.
Not every training discipline has its own month. There is no HIPAA Training Month, certainly not one formally approved and sanctioned by the highest levels of the United States Government. So why does security awareness have its own month?
The one thing people agree on, and the data supports this, is that human behavior and decisions are the leading cause of security incidents and data breaches. This is why security awareness matters, and why we have a National Cybersecurity Awareness Month.
However, there are several disturbing trends that make human risk the leading cause of security incidents and breaches.
End-users and employees need help making the right decisions and taking the right actions. This is why security awareness matters and why NCSAM is something to embrace and promote.
No matter how you choose to run your campaign for NCSAM, it is going to require resources. You will need…
With resources being used to plan and execute NCSAM, setting clear goals upfront is important. It will also help in getting buy-in from your leadership team (more on that below). Goals, while being highly specific to each company, should be quantifiable within some reasonable timeframe.
Below are several examples of goals for National Cybersecurity Awareness Month.
Each year, National Cybersecurity Awareness Month has a theme. There is both an overall theme for the month and 4 sub-themes, or specific topics, within the month.
Security awareness is a broad category. Content can be presented with different filters and perspectives. The NCSAM theme and sub-themes help drive consistency in messaging.
CISA encourages practitioners to create their own campaigns and messaging for NCSAM based on the themes and sub-themes for the year.
The overall theme for NCSAM 2022 is See Yourself in Cyber. The goal is to drive awareness of the role of individuals, or end users, in the overall cybersecurity landscape. To accomplish this, highly technical topics need to be distilled down into teachable moments that are actionable for users to defend themselves, their accounts, their devices, and their data.
Ideally, these teachable moments should help build a security mindset whether in an office, working from home, or with their families.
Historically, there have been weekly themes for National Cybersecurity Awareness Month. This year, these sub-themes are topics that CISA wants companies to focus on. Below are the 4 sub-themes for this year. We’ve also provided sample training and engagement messages to go along with these themes.
Multi-factor authentication is one of the single most important steps users can take to secure their accounts. It’s also increasingly simple to implement using mobile devices and hardware keys. Employees should be using MFA on all of their accounts, not just company accounts.
⚡ Multi-factor authentication (MFA) is the simplest and most powerful way to secure your accounts.
You should use MFA on all of your accounts if they allow you to enable it. Your administrator may require the use of MFA with certain tools.
There are three types of MFA 1️⃣ 2️⃣ 3️⃣
👆The above list is ordered from least secure to most secure. However, using any form of MFA is better than using no form of MFA.
Passwords still play a huge role in cybersecurity. Unfortunately, weak passwords are still a common occurrence. Many users will reuse passwords across accounts, including personal and business accounts. These reused passwords show up in public data breaches.
Engaging users on the importance of strong passwords and strategies they can use to create strong passwords benefits both your employees and your company.
🤯 You have hundreds of online accounts. Almost all of them require a password. This is not just for work. It’s also your personal accounts.
🦹 The problem is, there’s a near 100% likelihood that some of your passwords will be, or likely already have been, in a breach. When these breaches happen, millions of account usernames and passwords are published online. Cybercriminals can use these breached passwords to launch attacks.
❓ What can you do? …☝️Use a password manager! With a password manager, you can…
1️⃣ Generate unique and random passwords for each of your accounts;
2️⃣ Store those unique passwords securely; and
3️⃣ Auto-fill those unique passwords across websites and apps.
👉 Use a password manager!
💭 Can you guess the most common passwords people use?
If you said “123456” or “password”, you’d be right ⭐
🦹♀️ When data breaches happen, passwords are often involved. Those passwords are then made available in databases on the dark web. Attackers use them for brute force attacks.
Analyzing close to 300 million real passwords that have been breached, the most common passwords are consistent over the years. There is a clear trend. Passwords often involve sequences of numbers and the word “password”.
Have you used any of these common forms of passwords? Most of us have. Using these common passwords makes an attacker’s job trivial.
🎗 Now that you know the common passwords, let’s buck the trend and not use easy-to-guess passwords.
Phishing is still the most common form of attack against users. The goal of this sub-theme is to help instill a security mindset so employees remain vigilant about messages containing links, typos, strange email address and attachments.
When users suspect phishing messages, they should report those messages to reduce the risk of attacks against other people.
🎣 Phishing is when cyber attackers send fake emails to trick users into taking some type of action. Phishing is usually done through email.
🐟 🔗 The most common type of phishing attack is sending a fake link in an email. That link takes a user to a fake website and asks the user to enter their information such as username and password.
Email software detects most phishing attacks but some will end up in your email inbox. You should be careful with any links you get in an email. Here are a few tips to spot a phishing attempt:
1️⃣ Hover over the link and inspect the entire URL.
2️⃣ Look at the entire email address of the sender.
3️⃣ Think about the context of the email (is a link what you expect to get).
4️⃣ Look for grammatical and spelling errors.
🔗 Links to fake websites are a super common way to scam you. Fake links can come in email, text, social networks, forums, or anywhere else text can be seen or sent.
🤯 It can be challenging to tell if a link is a scam or not. Attackers get creative and use domain names that look a lot like real domains but with minor misspellings or modifications.
When you get a link, even from somebody you know, you should slow down and hover over the link before you click it.
🕴️Hovering will show you the entire link, even if the link is in an image or a button. Take a few seconds to look at the link, including the end of it (.com vs .co vs etc.):
🐢 Take your time. If in doubt, do not click the link.
💬 Have you received fake messages via text?
You likely have as this is a form of attack has grown increasingly popular. Look out for strange and random text messages from companies — things like billing problems with Netflix or awards from AT&T.
The same rules apply to text messaging scams, called smishing, as other scams like email:
1️⃣ Look at where the message is coming from (even though it’s text, it may be a domain).
2️⃣ Check any links to see where they go (do not click on them).
3️⃣ Check the grammar and spelling.
4️⃣ Is it urgent or playing to human psychology (like fear)?
5️⃣ Do not open attachments as it’s incredibly unlikely a company would text you a file.
👉 These smishing attacks are often easier to detect but the risk from them is the same as with traditional phishing attacks.
Keeping device software and app software up to date is a good way to stay ahead of cyber attackers. Many cyber attacks use known vulnerabilities in outdated software to gain unauthorized access machines and software services. These software vulnerabilities can exist on smartphones, computers, or IoT devices.
Software updates are not just for new features and emoji packs 😮💨
👉 When vulnerabilities are discovered, software vendors write updates to fix them. You should install official software updates because they often fix vulnerabilities.
This applies to ALL of your devices:
On your phone and computer, you have options to be notified of software updates or to have software updates installed automatically (typically overnight).
Most people haven’t heard of National Cybersecurity Awareness Month. They do not have any background or context for it. As such, getting buy-in both from company leadership as well as from employees is essential if you want to have a successful National Cybersecurity Awareness Month.
Buy-in from leadership is one of the key factors to having a successful NCSAM. Ideally, leadership would not just sanction the activities of NCSAM but somehow participate or lend weight to the activities.
Employees are busy, and often can’t fully appreciate the important role they play in the security of company systems and data without continuous reminders of the fact. That’s why this year’s NCSAM theme — see yourself in cyber — is such a powerful message.
If your employees are going to be getting messages throughout the month, you want to introduce them to NCSAM upfront so they understand the goals.
October is National Cybersecurity Awareness Month, or NCSAM. NCSAM is a US Government sanctioned initiative that has been in existence since 2004. The goal of NCSAM is to deliver messages to help you protect the security of your accounts and the privacy of your data.
Throughout the month, you will receive regular messages focused on your role in cybersecurity, both at work and at home. If you have any questions or concerns, please reach out to your manager or our security awareness team.
We covered goal setting above. Goals for NCSAM vary by company. The data required to assess and report on those goals also varies. We gave three example goals, and corresponding data required to assess them, in the above section. This is by no means an exhaustive list of goals for NCSAM but are a good starting point.
Here the most important things to remember with settings goals for NCSAM:
Closing the loop on reporting and the outcomes of NCSAM is something that should be done pretty soon after NCSAM ends, usually by mid-November. One thing we see is that the results of NCSAM are often only shared with leadership and not with all employees. Since NCSAM is company-wide and touches all employees, being transparent about the outcomes will:
We’ve crafted a complete campaign for NCSAM. This campaign provides messages for the NCSAM theme and sub-themes, along with tailored engagement and educational messages. We encourage you to use this as is or customize for your company; if you’re interested in subscribing to all of this content in Slack, we offer this complete campaign as an NCSAM Stream.
We provide admins and managers with resources to drive new initiatives and ensure alignment with overarching goals for NCSAM.
The focus is on why MFA is important and how easy it is to do across all of your services.
The focus is on what is a strong password and how password managers help ensure you create and use strong passwords
The focus is on updating software to patch vulnerabilities and how to enable updates.
The focus is on the scale of phishing and basic rules that work no matter the phishing attack
This is just a recap, thank you to participants, and reminder that cybersecurity matters all year and not just during NCSAM
Want to give Haekka at try? We’ll ensure you have what you need to have a successful NCSAM - talking points, fully customizable thematic messages in Slack, measurement and reporting of outcomes and engagement. Schedule a demo today.