“Stay Safe Online” is the call of this year’s National Cybersecurity Awareness Month (NCSAM). For most of us in the security industry, that’s a no-brainer.
But do our online security obligations extend only to ourselves? Here’s how a broader view might make us think differently about “entry-level security awareness” this year, and how improving even the most basic cyber skillsets could be a genius move in business-centric cyber strategy.
We Do This Every Year: Why It Still Matters
Attackers go for the weakest links. Sometimes, simple scams are hidden in plain sight. This is why the cybersecurity skills of the digital “least of us” matters.
Attackers Still Love Low-Level Attacks
As CISOs take on a more business-centric role, reporting directly to the board and CEO in many cases, they need to understand where attackers are getting in. All too often, that is via low-level attacks like phishing, BEC scams, password cracking, and other “basic” exploits.
Protecting the front lines means focusing on the sophisticated while still doubling down on the basics: because attackers are never going to let up on what works.
Everyday Users Handle Today’s Business Data
Everyday users are getting targeted. Everyday users are doing sloppy things like slipping confidential company data into AI models - unknown to their bosses. Everyday users are creating weak passwords, clicking on bad emails, and putting credentials into fake sites.
All this puts data at risk. That data directly feeds the AI models that drive business-critical decisions and the more businesses rely on AI and automated tools, the more those data handling practices have to be above board.
We know what to do to Stay Safe Online, but do they?
Stay Safe Online 2025: The Core 4
The big picture of Cybersecurity Awareness Month is simplicity. That means making essential cybersecurity practices simple for users to understand and simple for them to do.
That’s why they came up with the Core 4. These are four small ways users can make a big difference in their online safety in just four weeks.
It’s not just about users; in the age of remote work, BYODs, and hybrid environments, a safer user means a stronger line of defense standing between attackers and company data.
The Core 4 in Four Weeks
Week 1: Use Strong Passwords and a Password Manager
Analysis of 19 billion leaked passwords determined their strength to be severely lacking. Research by Cybernews found the use of ‘123456’ to still be prevalent, while 94% of passwords are reused. Only six percent of passwords were determined to be ‘unique’.
Users with weak passwords make things far easier than they need to be for attackers just looking for easy opportunities. Often, one uncrackable credential is enough to make threat actors move on to someone else’s account. That’s why “everyday” users need to know how important this step is, and how easy it can be—especially with password managers that can create secure, randomized passwords on your behalf.
"For a long time, I was anti-password manager – they were expensive or tedious. These days, I rely on my phone, and it makes a fantastic password manager. Utilize the great, free password manager built into your Apple or Android device.” - Tyler Reguly, Associate Director, Security R&D
Week 2: Turn on Multi-factor Authentication (MFA)
Valid accounts were the most exploited path to compromise in the first half of 2025, with a staggering 98% success rate. If users are protecting their accounts with credentials alone, today’s password cracking and initial access brokers will soon win out.
When attackers infiltrate a personal workstation, it’s not too many lateral moves later before they can pivot onto a company network.
“Enable multi-factor authentication for your email, bank, and cloud storage. That single step blocks most break-ins because a stolen password alone isn’t enough. It only takes a minute and can save you weeks or even months of cleanup.” - Josh Taylor, Lead Security Analyst
Week 3: Recognize and Report Scams
The 2025 Oh, Behave! report notes that while 66% feel confident in their ability to recognize phishing scams, only 45% take the initiative to report them.
Both of these numbers can be improved with the right security awareness solutions and the right know-how.
First, there’s detecting the scams.
“Ask yourself, am I expecting this email or text? Is this email asking me to provide sensitive information? Is this text message asking me to pay a bill I don't remember incurring?” - Zach Travis, Manager, Cybersecurity Operations
Then, there’s reporting them for the good of your coworkers and company (maybe even your job). The process isn’t hard.
“When I was a kid, we learned, “STOP, DROP, and ROLL” for dealing with fire. Today, I want you to remember, “STOP, THINK, and REACT”... [W]hen you see something, say something – forward those messages to your IT team so that they can keep the rest of the company safe.” - Tyler Reguly
Week 4: Update Your Software
Outdated software means unpatched vulnerabilities. Today, it still takes security teams an average of 102 days to patch a critical vulnerability - and that’s security teams. And yet, the mean-time-to-exploit for threat actors has dropped from 32 days to only five.
Imagine how small a chance an average user would stand against attackers that move fast.
Encouraging users to consistently run on updated software (apps, SaaS, cloud services, etc.) reduces the chances of them getting hit with a vulnerability-based attack. Again, it’s not so much about being totally impervious; it’s just making their systems harder to attack than the next person’s. When time is money – like it often is for attackers – that makes a big difference.
“Software developers are always building the latest and greatest software, and hackers are always looking for ways to exploit it... Skipping an update is just inviting the possibility of an attacker getting a hold of your sensitive data.” - Zach Travis
The Business Imperative of Cybersecurity Awareness Month
These days, attackers are shooting low as much as high.
One in five data breaches arise from credential theft.
Nearly 60% of cyberattacks are attributable to unpatched vulnerabilities.
64% of organizations faced a BEC attack in 2024 – these qualify as phishing and should be reported.
Now, AI has made it even easier for anyone to launch basic attacks. These attacks target basic users, reach us through our friends on social media, and infiltrate our networks in ways we least expect.
That is why practitioners must take an interest in raising the level of cybersecurity awareness for everyone.
Don’t let unsafe user practices jeopardize your bottom line.
Do a quick, company-wide upskill with this year’s four essential tips.
