Cybersecurity Awareness Month 2025: 4 Habits Every Workplace Needs

October is Cybersecurity Awareness Month 2025—and this year’s theme, “Stay Safe Online,” focuses on four simple actions anyone can take: use strong passwords with a manager, turn on multi-factor authentication (MFA), recognize and report scams, and keep software up to date.

Why now? Roughly 60% of breaches involve the human element, and attackers increasingly rely on ransomware (44% of breaches) and third-party pathways (30%). The good news: small routine changes dramatically reduce risk.

Habit 1 — Communication

Make the Core 4 Routine

Cybersecurity isn’t just an IT issue—it’s a communication issue. Employees need to hear about security in everyday conversations, not just during annual training. Start by reinforcing the Core 4 actions promoted during Cybersecurity Awareness Month 2025:

• Use strong, unique passwords and store them in a password manager.
• Enable MFA (multi‑factor authentication) on every account that supports it.
• Recognize and report scams—especially phishing emails and suspicious links.
• Update software promptly to close known vulnerabilities.

Practical tip: Add a 60‑second “security spotlight” to team meetings. Share real‑world examples of phishing attempts or recent industry scams so employees stay alert.

Train Against AI‑Boosted Scams

Attackers are using AI to make scams more convincing than ever. Deepfake voice calls can mimic executives, and QR code phishing (“quishing”) is on the rise because it bypasses traditional email filters.

• Teach employees to verify unusual requests through a second channel (e.g., call the person back on a known number).
• Encourage skepticism of QR codes in emails or on printed materials unless they come from a trusted source.
• Run simulated phishing campaigns that include AI‑generated content so staff can practice spotting subtle red flags.

Habit 2 — Compliance

Align with the NIST CSF 2.0

Compliance is more than checking boxes—it’s about building trust and resilience. The updated NIST Cybersecurity Framework 2.0 introduced a sixth core function: Govern. This emphasizes leadership accountability and risk management across the organization.

• Document roles and responsibilities for cybersecurity at every level.
• Require vendors to meet minimum security standards, including MFA and data handling policies.
• Keep evidence of training, patching, and incident response drills for audits and insurance requirements.
• AI adds another layer: regulators are watching how businesses govern AI use. If your team uses AI tools, include data privacy and model security in your compliance program.

Habit 3 — Continuity

3‑2‑1 Backups + Monthly Restore Tests

Ransomware remains a top threat, appearing in 44% of breaches. Most victims don’t pay (64%), which means recovery depends on preparation.

• Follow the 3‑2‑1 rule: three copies of your data, on two different media, with one copy off‑site and offline.
• Test your backups monthly by restoring at least one critical file.
• Create a ransomware playbook that includes communication steps, legal contacts, and customer notification templates.
• AI‑driven attacks can now automate vulnerability scanning and exploit chains, reducing the time between discovery and compromise. That makes timely patching and tested recovery plans more critical than ever.

Habit 4 — Culture

Leadership Owns Risk

Security culture starts at the top. When leaders model good habits—like using MFA and reporting suspicious emails—employees follow suit.

• Recognize employees who report phishing attempts to reinforce positive behavior.
• Share success stories: “Because someone reported this email, we avoided a breach.”
• Use resources from CISA’s Secure Our World and the National Cybersecurity Alliance to keep messaging fresh and credible.
• AI also affects culture: employees need to understand both the benefits and risks of AI tools. Give clear guidelines on what data employees can and cannot enter into AI systems to prevent accidental leaks.

AI in Cybersecurity (2025 Snapshot)

How attackers use AI now

• Smarter phishing at scale: Criminals use AI to write convincing emails and chats that sound like they’re from your team or vendors. Recent studies suggest that about 1 in 6 breaches now involve AI often to power phishing or fake media.
• Fake boss/vendor voices and videos: AI can clone a leader’s or vendor’s voice to rush you into changing a payment. Always call back using a number you already know or use a shared passphrase before moving money.
• Trick logins and QR code traps: AI helps build realistic fake sign-in pages and QR code lures (“quishing”) that send people to look-alike websites. Teach staff to check links and domains carefully—and to avoid scanning QR codes from emails they weren’t expecting.
• Faster break-ins: AI speeds up the “find a weakness, press the advantage” cycle, so slight mistakes can lead to bigger problems more quickly.

How defenders should use AI

• As AI use grows, set clear house rules and basic protections. Recent research shows many organizations still lack these guardrails.
• Write and share an AI use policy: Which tools are approved, what data can and can’t be used, and what’s off limits.
• Control access to AI tools: Use single sign-on, MFA, role-based access, and logging so you know who did what.
• Reduce “shadow AI”: Find and limit unapproved AI tools and browser extensions; review usage regularly.
• Protect what people type and get back: Treat AI prompts and outputs that include customer or employee details like any other sensitive data.
• Practice AI-specific incidents: Add scenarios like fake voice payment fraud or sensitive data leaks to your incident response plan.

Tip: You can fold these guardrails into your existing security program using the NIST CSF 2.0 “Govern” function, so it becomes part of normal risk management—not a side project.

AI governance & shadow AI controls

As AI adoption speeds up, governance is critical. Recent studies show a large oversight gap—63% of organizations lack AI governance policies, and 97% of those with AI-related incidents lacked proper access controls. Unsanctioned tools increased breach costs. Fold AI risk into the NIST CSF 2.0 “Govern” function and:

• Publish a policy that specifies the acceptable use of AI systems and data, listing approved tools, permissible data, and banned activities.
• Enforce access controls for AI apps and models (SSO/MFA, role-based access, secrets vaults, and logging).
• Detect and curb shadow AI (browser extensions, unsanctioned SaaS) with CASB/SSPM controls and periodic audits.
• Protect sensitive prompts and outputs—treat prompt logs with the same care as customer or employee data.
• Add AI-specific scenarios to incident response: model tampering, prompt injection, data leakage, and deepfake-enabled fraud.

A 30‑day AI Security Sprint (practical plan)

Week 1—See what you’re using

Make a quick list of AI tools, browser add‑ons, and any in‑house models. Note where sensitive data could flow. Turn on SSO and MFA for approved tools. Block anything risky or unknown.

Week 2—Set the rules

Publish a plain‑language AI policy. Post an “approved tools” list and a simple request form for exceptions.

Week 3—Add basic protections

Turn on logging and reasonable retention for AI tools. Limit uploads of sensitive data. Brief finance and HR on fake‑voice and payment‑fraud playbooks and how to verify urgent requests.

Week 4—Practice and review

Run a quick AI‑themed phishing/deepfake drill. Update your incident response plan with AI scenarios. Review a few metrics: MFA coverage, number of blocked unapproved tools, and phishing report rate.

Quick SMB Checklist

1. Turn on MFA everywhere; require a password manager + unique passphrases.
2. Patch cadence: critical vulnerabilities within 7–14 days; verify with vulnerability scans.
3. Immutable, off-network backups + restore test monthly.
4. Vendor: minimum security questionnaire + MFA + offboarding checks.
5. Phishing drill quarterly; “report-a-phish” one-click button.

Cybersecurity Awareness Month 2025 FAQs

Ready to Strengthen Your Cybersecurity Strategy?

Don’t wait for a breach to test your defenses. Schedule a free 15‑minute discovery call with our expert team and learn how to:

• Close the gaps in MFA and password security
• Align with industry-specific regulations
• Build a culture of security across your organization

Book your discovery call today!