It's October, which means it's Cybersecurity Awareness Month. LinkedIn fills with security tips. Vendors send webinar invitations. Companies briefly remember that security exists.
But does any of it actually make organisations more secure?
Let's make this October different.
The Problem with Awareness Months
'Awareness' is not the same as 'behaviour change.' Your staff are probably already aware that:
- Phishing exists
- Passwords should be strong
- They shouldn't click suspicious links
The issue isn't awareness. It's that knowing something and doing something are different. People know they should exercise. They don't.
October campaigns that focus on 'raising awareness' miss the point. What we need is practical action.
The October Action Plan
Instead of awareness activities, try these:
Week 1: Test your defences
Run a phishing simulation. Not to catch people out, but to understand your actual risk. What percentage of staff click? What percentage report suspicious emails?
This gives you real data, not assumptions.
Week 2: Close one significant gap
Pick the biggest security gap you have and fix it:
- MFA not enabled? Enable it this week
- Backups not tested? Test them this week
- Windows 10 still running? Finish the migration
- Admin passwords shared? Change them
One real fix beats a month of awareness posters.
Week 3: Train on something specific
Not 'security awareness training' - that's too vague. Train on one specific threat:
- How to spot invoice fraud emails
- What to do if you think you've clicked something bad
- How to verify unusual requests from 'managers'
Practical, actionable, memorable.
Week 4: Plan for the year ahead
October shouldn't be a one-off. Use the end of the month to schedule:
- Monthly phishing simulations
- Quarterly security reviews
- Ongoing training touchpoints
Make security continuous, not annual.
What Good Looks Like
Companies that get security right don't rely on awareness months. They build security into their culture:
Make it easy to report. One-click buttons to report suspicious emails. No blame for false positives. Praise for good catches.
Make the right thing the default. MFA enabled everywhere. Updates automatic. Secure options are the easy options.
Lead from the top. When the CEO visibly follows security practices, everyone else takes it seriously.
Measure and improve. Track phishing click rates. Track incident response times. Set goals and work toward them.
The Uncomfortable Truth
Most October 'awareness' activities are performative. They look good, tick compliance boxes, and change nothing.
Real security improvement requires:
- Technical controls (so users can't make mistakes)
- Process changes (so the right thing is the easy thing)
- Cultural shifts (so security is everyone's job)
- Continuous effort (not once-a-year events)
None of that fits neatly into an awareness month. But it's what actually works.
Your October Checklist
| Week | Action | Owner | Done |
|---|---|---|---|
| 1 | Run phishing simulation | โ | |
| 2 | Fix biggest security gap | โ | |
| 3 | Deliver specific training | โ | |
| 4 | Schedule ongoing activities | โ |
Getting Help
We can help with all of this:
- Phishing simulations with real-time feedback
- Security gap assessments and remediation
- Training that actually changes behaviour
- Ongoing security programmes
Make this October the start of something that lasts all year.