Today’s columnist, Max Shier of Optiv, says companies should make awareness training the center of their secure device strategy. (Stock Photo, Getty Images)
Click for more special coverage
On the 20th anniversary of Cybersecurity Awareness Month (CSAM), the best way to defend against cyberattacks two decades later still remains employee awareness and training. In fact, the Cybersecurity & Infrastructure Security Agency (CISA) found that 90% of all cyberattacks begin with phishing. Even employees with the best of intentions can inadvertently fall for phishing and social engineering attacks, giving cybercriminals a gateway into corporate networks where they can then execute more advanced attacks, such as ransomware, or move laterally to steal information or inflict widescale damage. If phishing success rates weren’t already bad enough, today, innovative technologies, such as generative AI, are making it nearly impossible to distinguish between a legitimate and a fraudulent email — or video, voicemail or text message, for that matter. Cybercriminals are upping their game with sophisticated tactics, and this means organizations need to double down on awareness and training initiatives that keep employees and their business safe.
Modernize cybersecurity awareness training
It’s often easy to get caught up in trying to defend against the latest threat vectors with technology, but no product can solve for the human element. In this reality, organizations that have yet to implement a formal cybersecurity awareness and training program should prioritize it immediately. For those organizations that do have a program in place, CSAM presents the perfect time to reassess strategy. Treating awareness and training as an annual check-the-box item will have minimal effectiveness, as many employees are likely to forget what they learned a few weeks later. The best awareness and training programs are conducted frequently to keep cybersecurity top-of-mind for employees, and they are rolled out in short, engaging formats to keep people’s attention and help them remember what they learned long after the session is complete. For example, a monthly brown bag email or interactive video that talks about a trending topic and includes a good takeaway can make a lasting impact. Get employees to view cybersecurity awareness and training as a fun and engaging learning opportunity rather than a chore.
Pinpoint the focus areas
In terms of content that we should include in awareness and training material, the industry needs to make employees aware of the threat landscape and provide them with basic cyber-safe behaviors that will help protect them and the business from the inside. For example:
Vigilance: Even though AI makes phishing emails harder to detect, employees still should know the traditional tell-tale signs that indicate an email may be fake, including spelling errors, suspicious attachments or links and tones of misplaced urgency. Additionally, encourage them to slow down when reading emails to make sure they can spot these red flags.
Password hygiene: Make passwords long and complex, with a minimum of 12 characters that include lowercase and uppercase letters, numbers and special symbols. Employees should update them regularly and avoid reusing passwords across accounts.
Multi-factor authentication (MFA): Build on strong passwords with MFA, which requires users to present at least two pieces of evidence to prove their identity. This makes it much harder for cybercriminals to gain unauthorized access to accounts even if they do compromise a password.
Social media savvy: Cybercriminals use publicly available information in phishing and other social engineering schemes. Employees that limit their digital footprint will avoid being an easy target. For example, avoiding “checking into” locations and tagging or sharing photos, keeping profile information to a minimum, and, when traveling for work or working remotely in a public setting, using an enterprise virtual private network (VPN) solution and browsing in incognito mode.
Additionally, with cybercriminals increasingly exploiting vulnerabilities, security teams also should make device safety a big component of awareness and training programs. In this regard, ensure employees perform software and firmware updates immediately. Updates not only enhance features, but they also deliver security patches to address known vulnerabilities. While it’s very tempting to push them off, especially when in the middle of a work assignment, every second a vulnerability does not get patched is another second that gives cybercriminals an open door into a device and the corporate network. Other device safety best practices to share with employees include turning off auto-connect for Wi-Fi and Bluetooth to avoid accidentally connecting to a threat actor’s network and always verifying sources before downloading software or applications. Finally, make sure employees don’t forget about the security of their home network and router. With home networks now doubling as work networks for many, employees need to bring organizational security best practices to their home. For example, encourage them to change the default password on their router, set up a guest network for visitors and only use WPA2 or the newer WPA3 protocols. Also remind employees to think about those Internet of Forgotten Things (IoFT) devices — the ones we often forget about, but remain connected in the background, allowing an easy access point for threat actors.
Put simple reporting into practice
As part of the cybersecurity awareness and training process, it’s also important for organizations to make sure employees know how to report suspicious emails and activity — and they must make it easy for them to do so. Complicated policies and procedures could deter individuals from reporting potential threats or suspicious behavior, putting the rest of the employees within the organization at risk. Equally as important to implementing a simple reporting process, teams need to foster an open environment where employees are rewarded for reporting suspicious activity and engaging in cyber-safe behavior. When employees feel supported, they are more inclined to take part in the cybersecurity program. It’s also important to close the loop with the employee on the incident they reported. Ensure they are notified whether it was a false alarm or legitimate incident as it helps reinforce their training and lets them know their reports are being looked at.
Build a security culture
CSAM presents a great opportunity for all of us to reevaluate our cybersecurity strategy and ensure programs are adapting alongside the changing threat landscape and business needs. To achieve a solid cybersecurity posture, we must make security top-of-mind for all employees, each and every day. When organizations prioritize cybersecurity and awareness training, they can build a strong security culture that transforms their workforce from the weakest link to their first line of defense against cybercriminals. Max Shier, chief information security officer, Optiv
Max Shier is the CISO at Optiv, the cyber advisory and solutions leader. He is a 23-year Air Force veteran and has more than 27 years of experience in all facets of security, including direct cybersecurity and IT experience in several technology and security domains.
Prior to Optiv, Shier held several leadership positions in the Federal Government and the defense industry base, with his most recent position as a cybersecurity director at a large defense contractor where he was responsible for cybersecurity oversight and implementation of critical space-based national defense programs.
As cyberattacks surge and boardrooms demand measurable outcomes, CISOs in Q2 2025 are redefining their playbook, prioritizing resilience, operational intelligence, and business-aligned metrics like never before.
