When we shared the first article in this series, the response was overwhelming. From security professionals to everyday users, one message came through: people want practical, real-world ways to stay safe online. So, as the month draws to a close, we decided to do a second edition, one that looks at other questions, challenges, and ideas.
Cybersecurity awareness doesn’t end with a single campaign or a list of best practices. It’s an evolving mindset. The threats and tools change, and so must our approach. In this follow-up, we look at how the experts move beyond awareness toward lasting digital resilience.
Here’s what they had to say.
Build a Strong Security Culture
Ross Moore, an Information Security Researcher, speaks of security culture. He advises security practitioners or teams to present themselves as trusted internal security ‘customer service teams’, demonstrating responsiveness, approachability, and support. This could include quick email replies, a friendly attitude, willingness to review suspicious messages, or availability for calls with colleagues and prospects.
“Go beyond being a brainiac to being a kind and knowledgeable person with whom others can do business. Build bridges with at least one person in each department who is friendly to security principles in any form, whether they believe in good passwords, readily enable 2FA for everything, are willing to try some new secure tech, or apply secure programming. This approach can help spread the idea that security-mindedness goes beyond security departments.”
He adds, “When you get a chance to promote security, take it! Be professional, and don’t do anything detrimental to your reputation. But take the next step and adjust along the way. This willingness to take a step, perhaps endure some laughs and constructive criticism, adjust per the guidance of your leadership all go into building a culture of security because your coworkers know it’s you, and not some packaged program.”
Next, Moore says to provide some channel for education, even if it’s a manual and personal avenue. “AI has increased the ability for criminals to imitate individuals. It doesn’t take much time at all to go from zero knowledge of a person to a full-fledged deepfake video. With publicly available information and the right tools (which don’t cost much), one can clone voice, movements, and idiosyncrasies; match that with speech patterns, physical location, social media profile, and other personal interests; and then present a convincing personal video or voice mimic. People need to learn to discern, and employees need a quick channel where they can inquire about and report suspicious communiques.
“Cultivate trust in the security initiatives beyond just the security department. You can build trust by providing the right mechanisms for what is suggested. If you recommend enforcing 2FA at work, ensure it’s available. If you suggest password managers, be ready to make suggestions. If you say “report phishing,” you need to have one, a readily available channel, and two, reply quickly and kindly. It’s too easy to promote good things and then get upset when many people take advantage of that good thing.”
Everyone Can Help
Carrying the conversation of culture further, Mike Arrowsmith, CTO at NinjaOne, says every employee, no matter their seniority, can take steps to prevent better, identify, and mitigate against social engineering attacks. “These scams usually leverage employees’ inherent trust in their IT teams to gain unauthorized access to critical systems.”
It may seem basic, Arrowsmith adds, but effective prevention and identification begin with comprehensive security awareness training for all employees. “The workforce must understand that legitimate IT staff will never request passwords or pressure them into urgent action. Training can support employees at every level to spot red flags such as urgency, threats, unusual communication channels, and requests for sensitive credentials. Organizations should have clear communication protocols and escalation paths for employees to report suspicious contact. Additionally, employees should be frequently tested with phishing simulations. By conducting regular simulations, organizations can effectively measure their cyber awareness baseline, identify vulnerable users who need additional training, and continuously reinforce security behaviors.”
A Board Level Imperative
Kevin Landt, VP of Product, Cybersecurity at Thrive, agrees that an organization’s cybersecurity responsibility is no longer confined to the IT team, adding that it’s now a major business imperative at the board level. “The risks presented by a breach can be catastrophic, and with attack methods rapidly evolving due to innovations in AI, the consequences of a successful incident can be both financial and reputational in nature.”
To prepare for what now seems to be an inevitable reality, Landt says organizations need to take a layered approach that incorporates an initial assessment of potential vulnerabilities, effective controls to manage risk, and defined roles and responsibilities to identify potential threats and respond effectively to an incident. “Humans, unfortunately, remain the weakest link regarding cyberattacks. The good news is that more effective training strategies are starting to be implemented, which train staff to spot potential risks and emerging threats such as deepfakes and AI-driven attacks. Businesses can also fight fire with fire by adopting AI-powered solutions, such as tools to spot AI-created phishing emails, to ensure they keep pace with the evolving techniques adopted by bad actors. By focusing on training, technologies, and carefully selected partnerships, businesses can move from a reactive to a proactive stance, with the resilience to respond effectively, recover quickly from events, and protect their data and operations.”
Security Teams Under Pressure
Its also important to remember, that while Cybersecurity Awareness Week tends to focus on consumer safety, it’s only part of the story, says Jimmy Mesta, Co-founder and CTO of RAD Security. “Behind every phishing warning or software update prompt, there’s a security team under pressure to make those defenses work at scale. That’s where awareness breaks down: not at the user level, but in the complexity of the systems that support them.”
The truth, says Mesta, is that many security teams already know what needs fixing. “The problem is bandwidth. They’re overwhelmed with alerts, stuck reconciling disconnected tools, and buried under compliance work that’s growing faster than their teams are. I believe that awareness has to include that layer too: the people behind the platform, not just the people using it. That means helping defenders focus on what matters, eliminate wasted motion, and translate technical insight into business action—before it ends up as a headline.”
Strengthening Endpoints
Endpoints are often the most vulnerable point of entry for cyberattacks, as they’re widely distributed, says Kevin Greenway, CTO of 10ZiG Technology. “Endpoints are commonly targeted with phishing, malware, and unauthorized access attempts. Thin and zero client technologies strengthen security at the endpoint by minimizing the attack surface, which is one of the most effective ways to reduce overall risk. Unlike traditional PCs, these devices have no local data storage and a simplified operating environment, making it much harder for malware or unauthorized applications to gain a foothold.
Centralized management further ensures that policies, patches, and access controls are consistently applied, eliminating gaps that often arise in distributed endpoint environments. By keeping sensitive data in the data center or cloud and reducing opportunities for compromise at the edge, organizations can better protect critical information while creating a more secure, controlled endpoint environment.”
Talent, Unseen
Jayson Haynes, Early Careers Business Partner at Bridewell, agrees that this month is a reminder that protecting our digital world relies on people as much as technology, but too often, potential talent goes unseen. “The industry has a habit of looking for the same profiles: technical degrees, years of experience, and expensive certifications. This narrow view creates barriers that exclude capable, curious, and diverse individuals who could make a real difference.”
He says the next generation of cybersecurity professionals is already out there; they just need the opportunity to be seen. Various initiatives uncover untapped potential and create accessible, structured pathways into the industry. “By broadening how we recruit and who we support, we can close the skills gap, strengthen our national resilience, and ensure cybersecurity is a career open to anyone with the drive to protect what matters most.”
The Landscape Has Irrevocably Shifted
Jason Schmitt, CEO, Black Duck, says every month should be treated as a reminder that the cybersecurity landscape has irrevocably shifted. “The old software world is giving way to a new reality defined by AI-driven complexities. The average application has three times more code than it did four years ago; this trend will continue in the future. By 2030, there will be three times more applications than today.”
As global cyberattacks continue to proliferate, with a 30% increase last year alone, there were an average of over 1,600 attacks per organization weekly, Schmitt says. “Add to that AI-generated code, which is projected to grow by 400% by 2030, and the risks will only accelerate and compound. This new reality renders traditional security tradeoffs ineffective. However, by adopting true scale application security, security and business leaders can access the resources needed to make informed decisions and confidently drive business innovation. This approach empowers organizations to navigate the evolving cybersecurity landscape effectively.”
Set Clear Boundaries
Jamie Beckland, CPO at APIContext adds: “The acceleration of agentic AI within enterprises has streamlined operations, but like any new technology, it also introduces risks. These autonomous agents are facilitated by Modern Context Protocol (MCP) servers, which enable them to operate effectively, yet these servers have excessive access to sensitive company data. This high privilege level means any misstep or security issue could have serious consequences.
To keep internal infrastructure and proprietary data secure, organizations must understand the tasks and data that their autonomous agents handle. This visibility will enable organizations to set clear boundaries, control what the AI can do, and protect sensitive information and systems. Monitoring AI actions, limiting access, and reviewing the data it uses are essential to maintaining a robust AI security perimeter while leveraging its capabilities.”
Retire the Generic Playbook
Dan Candee, CEO of Cork Protection, adds that if we hope to fight AI threats, it’s time to retire the generic playbook. “AI-driven threats mean a wrong click can be ‘game over’ for a small business. We must move past simple awareness and focus on real readiness. First, forget the posters and run a fire drill. Replace useless “Don’t Click” emails with a war game to test their recovery plan under pressure. See who gets the first call and how quickly they can restore their backup.”
Second, he says, is to recognize that you are the biggest target. “Hackers prize IT providers. Use this month to audit your own security honestly. Your clients’ survival depends on you being the most secure link. Finally, talk money, not tech. Engage leadership by discussing financial risk, specifically their cyber insurance policy. Offer a Readiness Review to highlight requirements that could cause a denied claim. This positions you as a core business advisor, not just the IT person.”
Don’t Miss the Wood for the Trees
Shreyans Mehta, CTO at Cequence Security, says: “It’s important for those of us actively engaged in cybersecurity to be sure we don’t miss the woods for the trees. Organizations have spent months, if not years, implementing zero trust network architectures (ZTNA), a robust concept that promises to improve security through a radically ‘never trust, always verify’ mindset. These are painstaking projects with multiple stages, including continuous authentication, authorisation, and microsegmentation. Yet many risk undoing all that hard work by developing AI projects almost overnight and standing those up without sufficient attention to security. If the AI is not configured correctly with proper identity and monitoring nailed down, you risk blowing holes in your ZTNA.
“Organizations, therefore, need to be mindful that, while AI can offer numerous productivity gains, it also significantly expands the attack surface if it’s not done right, Mehta adds. “The potential for those AI deployments to come back to bite the business is real, so the technology shouldn’t be viewed just in terms of its commercial value. In addition to DevOps spend, there has to be a security budget. Productivity and security are not mutually exclusive; they can co-exist, enabling the business to adopt and follow best practice when rolling out AI.”
Safety Begins With Everyday Habits
Glyn Morgan, country manager UK&I for Salt Security, says it’s a good time to remind ourselves that online safety begins with our everyday habits. “Today, most threats are not from teams of hackers executing brilliant technical manoeuvres but from small gaps in how we manage our digital lives.”
Small things, Morgan adds, make a big difference. “Use strong, unique passwords with the help of a password manager, enable multi-factor authentication whenever you can, and keep your software and apps updated. Watch what you share on the web and verify links or attachments before clicking. Awareness counts, but it’s consistency that really keeps us all safe.”
Make Risks Real for Everyone
Paul Speciale, CMO of Scality, adds that we must make risks real for everyone. “Awareness begins with making the risks concrete. Employees and leaders need to see cyberattacks not as technical jargon but as events that directly impact business and society. Using real incidents, like the recent airport attack, which disrupted airport operations across Europe, helps employees understand why caution with phishing emails or suspicious links matters. Leaders must also recognize that the cost of not prioritizing cyber resilience can be measured in disrupted services, lost revenue, and broken trust. In the worst cases, companies see no alternative but to pay the ransom, with demands that can run into the millions, and even then, recovery is far from guaranteed.”
Awareness, he adds, is only the starting point. “To make it effective, companies must turn knowledge into action through practice. Regular drills and incident simulations are far more effective than one-off training sessions. These exercises allow employees to experience the pressure of a real attack in a safe environment and to understand their specific roles in a response. For example, who makes the first call if a backup system is suddenly encrypted? Who evaluates the scope of the damage? Who communicates with partners and customers? When these roles are rehearsed, they become instinctive, and the entire organization can respond faster and more confidently. Importantly, these drills should extend beyond IT and security teams to include operations, HR, legal, and communications, because a real incident will involve every part of the business.”
Good Credential Practices
Patricia Egger, head of security at Proton, believes one of the simplest but most effective ways to stay safe online is through good credential practices. Weak or reused passwords remain one of the most widespread attack vectors. Instead, every account should have a strong, unique password, passphrase, or passkey. They should be long, difficult to guess, and stored in a reputable password manager. Two-factor authentication is also a must and makes a huge difference in your protection level. The inconvenience is more than made up for by the added security.”
Just as importantly, Egger says people should be wary of phishing attempts designed to trick them into handing over credentials in the first place. “Protecting our digital identities is the foundation of online security. By taking credential hygiene seriously, individuals can significantly strengthen their defences and make it harder for attackers to succeed.”
Resilience-in-Depth
To minimize the destructive impact of ransomware and other attacks, organizations now need to pivot to a ‘resilience-in-depth’ approach, says James Blake, Global Head of Cyber Resiliency Strategy at Cohesity. “This requires security teams to proactively hunt for the early stages of an attack, using mechanisms that aren’t subject to standard EDR evasion techniques built into today’s ransomware-as-a-service platforms. Security teams can further reduce the attack surface by applying patches to systems connected to the Internet, while enforcing vaulted backups, strong authentication, and additional approvals for administrative tasks.
“However, true resiliency lies beyond simply deploying a tech solution off-the-shelf. It’s about how these solutions are used, embedding cyber awareness into your company culture, and whether you have the necessary skills and processes to maintain it. By evolving beyond the castle-and-moat mindset, organizations will have the approach and tools to safeguard against the seemingly endless changes in adversary behavior.”
The Old Software World is Gone
Dipto Chakravarty, CTO, Black Duck, says as we observe National Cybersecurity Awareness Month this October, we must acknowledge that the old software world is gone, giving way to a new set of truths defined by AI. “AI adoption is universal, governance is lagging. Of the 785 development and security professionals surveyed, 89.3% reported that they’re already using AI-powered coding assistants within their organizations, and 96.1% are integrating open source AI models into their products. However, this rapid adoption has outpaced the development of necessary governance and security measures, with 21.1% of companies lacking confidence in preventing AI from introducing security vulnerabilities. This data underscores the imperative for proactive cybersecurity measures and comprehensive risk management strategies to protect our digital assets.
“Let’s leverage this awareness month to reinforce our commitment to securing our digital world, delivering AI development velocity with uncompromised trust,” Chakravarty ends
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.