Cybersecurity Awareness Month Toolkit

October is Cybersecurity Awareness Month—a time dedicated for public and private sector organizations to come together to raise awareness about the importance of cybersecurity.  

CISA has tools to help organizations build their own Cybersecurity Awareness Month campaigns. 

About Cybersecurity Awareness Month

Cybersecurity Awareness Month (October) is an international initiative that highlights essential actions to reduce cybersecurity risks.  This year’s theme is Building a Cyber Strong America, highlighting the need to strengthen the country's infrastructure against cyber threats, ensuring resilience and security. 

Cybersecurity is more than an IT issue—it’s a public safety and economic security priority. Many organizations are part of the nation’s critical infrastructure, from local utilities and transportation systems to hospitals, schools and public safety agencies. And many small and medium size businesses play an important role in critical infrastructure, who might be suppliers, contractors, vendors, manufacturers, or another role that helps keep critical infrastructure operating.

When these systems are disrupted, the impact is immediate and far-reaching. Protecting them starts with each person’s daily actions online.

The Cybersecurity and Infrastructure Security Agency (CISA), the federal lead for the campaign, provides resources for organizations to help educate employees and other organizations that are connected in some way. Cybersecurity Awareness Month is supported by corporations, government agencies, businesses, tribes, non-profits and professionals committed to cybersecurity education and protecting our communities.

The campaign builds on past efforts empowers everyone to take core steps to protect against online threats and offers additional ways to help keep the nation’s critical infrastructure secure against cyber threats. This year, there are additional recommendations for small/medium business and state, local, tribal, and territorial government organizations that own, operate, or support critical infrastructure. We live in a highly connected world, with more sensitive information online than ever before. This convenience comes with risks. All organizations that are part of the nation’s critical infrastructure and supply chain have an important role in cybersecurity.

Here are some tips to help you make the most of your participation:

• Recognize the opportunity: Cybersecurity Awareness Month is your chance to engage your entire organization on the importance of cybersecurity. Whether you’re shaping policy, leading a team or simply practicing more secure habits, your involvement matters.
• Get your customers and vendors involved: Share cybersecurity best practices with your customers and vendors and encourage them to commit to stronger cybersecurity. We all need to do our part to keep our communities safe.
• Plan your participation: Use the ideas and no-cost tools in this guide to promote Cybersecurity Awareness Month throughout October. Coordinate with leadership, IT, HR and other teams to ensure consistent messaging.
• Think long term: Talk with leadership and IT about adopting cybersecurity policies that include all of CISA’s best practices. Include your vendors and partners in the conversation so your whole supply chain is more secure. 

Key Messages and Fast Facts

This year, we are showing special appreciation for systems and services that sustain us every day. This includes things like clean water, secure transportation, access to quality healthcare, secure financial transactions, rapid communications, and more. These and other important services are under constant threat from cyber-attacks. Whenever critical infrastructure is disrupted, so are the businesses and communities that depend on them. U.S. businesses and governments that own, operate, or support critical infrastructure are the front line against successful cyber intrusions. 

CISA recommends cybersecurity best practices to reduce your chances of being a victim of a disruptive cyberattack, and provides no-cost information, services and tools to guide organizations in implementing these behaviors.

Cover Down on the basics: Four Essentials to Protect Your Business or Government Organization

Cybercriminals look for easy targets. Businesses and organizations without basic precautions make an easier target for cyber attacks. Start with these four essential steps to safeguard your data and enable your employees to stop attacks before they happen. 

1. Teach Employees to Avoid Phishing Scams: Phishing tricks employees into opening malicious attachments or sharing sensitive information. Train staff to recognize and report suspicious activity.
2. Require Strong Passwords: Strong passwords are a simple but powerful way to block criminals from accessing your accounts through guessing or automated attacks. Make them mandatory for all users.
3. Require Multifactor Authentication: MFA adds an extra layer of security beyond passwords. Require it to make accounts significantly safer. Use phishing-resistant MFA where available.
4. Update Business Software: Outdated software can contain exploitable flaws. Promptly install security updates and patches to keep your systems protected. 

Next Step: Level Up Your Defenses 

Build on the basics and level up with these additional practices.   

5. Use Logging on Your Systems: Log activity so your team can monitor signs that threat actors may be trying to access your systems. Learn how to monitor key information.
6. Back Up Data: Incidents happen, but when you back up critical information, recovery is faster and less stressful. Put a backup plan in place that aligns with your organization’s recovery point objective to protect your systems and keep things running smoothly.
7. Encrypt Data: Encrypting your data and devices strengthens your defense against attacks. Even if criminals gain access to your files, information stays locked and unreadable. Make encryption part of your security strategy. 

Additional Practices

8. Share Cyber Incident Information with CISA: When organizations and CISA share threat information, everyone is safer. Report incidents to help CISA warn others and get information in return to help you stay ahead of threats: cisa.gov/report
9. Migrate to the .Gov Domain (if your organization is eligible): CISA ensures that only legitimate government entities can use a .gov web address. Migrate your website and email to increase public trust and reduce the chance of impersonation attacks. Check your eligibility and learn more at get.gov. 

The takeaway: Cyber threats are evolving fast. This October, make cybersecurity a priority and take decisive steps to protect your organization and others who depend on your services.

Building Your Campaign

This section provides tips on how to promote Cybersecurity Awareness Month and develop your own campaign to encourage essential cybersecurity actions that can help protect your organization, your clients or customers, and the nation’s critical infrastructure.

Enlisting Your Leadership

Leadership buy-in is essential—not just for October, but for building a year-round culture of cybersecurity. Every organization is digitally connected—to employees, and also external stakeholders (vendors, customers, constituents, students, members, etc.). And every organization has valuable data that cybercriminals want—if only to use it to launch an attack on another organization! No business or government organization is too small to be a target.

Participating in Cybersecurity Awareness Month is a way to engage your people, not only making them aware of the risks, but also encouraging action on essential steps they can take that greatly reduce those risks.

Customize the included Cybersecurity Best Practices PowerPoint and present it to your leaders and IT/security team. Review CISA’s cybersecurity best practices for organizations and discuss which of these actions your organization is already doing—and where you could improve. Advocate for clear cybersecurity policies and procedures to protect and strengthen your organization, its employees, customers, and others that rely on your organization’s services.

Engaging Your Organization

Consider using a variety of the following activities throughout the month—or come up with your own:

• Email Announcement: Send an email to employees, customers, or constituents. Outline how your organization will be involved. Highlight the key behaviors and advice provided in this toolkit. See the Sample Email Announcement in the kit to get started.
• Email Signature Banner: Champion cybersecurity month all through October by adding the Email Signature Banner to all your outgoing emails.
• Newsletters: Incorporate Cybersecurity Awareness Month into your employee newsletter. Use language from the Sample Email Announcement provided in this toolkit for inspiration.
• Press: Work with leadership to issue an official press release, proclamation, or video announcement to show your organization’s support. Announcements should highlight what your company does to practice cybersecurity. See the Sample Press Release in the toolkit.
• Social Media: Join the conversation on social media by sharing safety tips and resources. Highlight the steps your organization is taking to educate others on how to stay safe online. See the Social Media Suggestions later in this guide for event hashtags and links to CISA’s channels.
• Poster: Hang the included Posters in a breakroom or anywhere they’ll be visible to others in your organization.
• Information booth: Set up an area to hand out the included Posters or other materials and talk to people within your organization.
• Event: Host an in-person or virtual event for your organization. (For virtual events, use one of the included Virtual Backgrounds.) Discuss smart security practices, relevant cybersecurity issues and allow participants to ask cybersecurity-related questions.
• Gamification: Host a “spot the scam” phishing game or competition. Throughout the month, send fake phishing emails to your employees and reward those who successfully identify and report the most attempts. Send out a final message that explains the clues that indicate phishing in each message, so employees can learn from them.
• Incentives: Issue a company promotion related to the month, such as a product discount, a competition or giveaways for customers.
• Recap: At the end of the month, send employees an email highlighting your activities, results and successes. Recap best practices learned throughout the month.

Educating Your Community

Your organization can be a trusted voice in the community, especially for groups that may be more vulnerable to cyber threats. Here are some tips to help you prepare a “Cyber Basics” talk.

• Know Your Audience: Tailor your talk to their technology use and top concerns.
• Keep it Simple: Use plain language, avoid jargon and focus on practical tips.
• Prepare Slides: Use the included Nine Ways to Stay Safe Online presentation or create your own using the PowerPoint Template.
• Provide Takeaways: Have printouts of your presentation double as a learning guide after you leave, and/or provide the Poster as a handout. Give people resources where they can reach out for more help, especially if they have a cybersecurity incident. Make sure they know what help is available to them, and who they should contact (for example, CISA or the FBI).

Tools & Samples

The Cybersecurity Awareness Month 2025 Toolkit has ready-to-go and customizable tools and templates to help you conduct your campaign.

Email Signature Banner

Encourage leaders and influencers in your organization to use this image in their email signature all month long. (Use the full-size PNG file in the toolkit vs. copying the thumbnail below.)

 

Virtual Backgrounds

Use one of these images as your background for your videoconferencing calls (Teams, Zoom, etc.) throughout October. (Use the full-size PNG files in the toolkit vs. copying the thumbnails below.)

 

Sample Email Announcement

Start getting employees engaged in Cybersecurity Awareness Month by sending an email to everyone in the organization. We’ve provided a sample version you can customize to get started.

Sample Email Announcement - CAMToolkit2025 (DOCX, 414.39 KB )

 

Sample Press Release

Make a public announcement about your Cybersecurity Awareness Month campaign. We’ve provided a sample version you can customize to get started.

Sample Press Release - CAMToolkit2025 (DOCX, 33.95 KB )

 

PowerPoint Presentations

We’ve provided three PowerPoint files in the toolkit:

1. Cybersecurity Best Practices for Organizations: Use this presentation with your leadership and IT/security team to review CISA’s cybersecurity best practices for small and medium business and state, local, tribal and territorial organizations. Review your organization’s cybersecurity policies and discuss the need for any updates. Get their buy-in for your organization to participate in Cybersecurity Awareness Month.
2. Nine Ways to Stay Safe Online: Use this presentation to help employees understand the simple steps they can take at work as well as on their personal devices. You can also use this presentation for community outreach with public audiences that might find basic cybersecurity information helpful.
3. PowerPoint Template (Create Your Own): Use this template to create custom presentations for specific groups.

Cybersecurity Best Practices - CAMToolkit2025 (PPTX, 17.72 MB )

Nine Ways to Stay Safe Online - CAMToolkit2025 (PPTX, 14.35 MB )

PPT Template - CAMToolkit2025 (PPTX, 12.11 MB )

 

Social Media Suggestions

Cybersecurity Awareness Month is a time to work together to protect each other. One of the best ways to get involved is to join the conversation on social media by sharing cybersecurity tips and resources that highlight the steps your organization is taking to educate others on how to stay safe online.

The Cybersecurity and Infrastructure Security Agency (CISA) regularly posts updates on cybersecurity and will share tips throughout October to help small/medium business and state, local, tribal and territorial organizations be more cybersecure. When you engage with CISA posts (by liking, sharing, and commenting), you help ensure these messages get more exposure.

Follow CISA on social media to receive the latest updates and resources.

CISA Facebook

CISA Instagram

CISA LinkedIn

CISA X

CISA YouTube

You can create your own posts throughout the month as well. When you post, make sure to tag CISA @CISAgov and use the hashtag:

#CybersecurityAwarenessMonth

Remember that cybersecurity education isn’t limited to October. You can share cybersecurity information all year long and keep building up your own organization’s cybersecurity.

Posters

Hang the posters in your organization’s breakroom. The first one catches the eye from a distance, and the second and third one provide the details.

Poster1 - Tagline - CAMToolkit2025 (PDF, 9.67 MB )

Poster1 - Tagline_cropmarks - CAMToolkit2025 (PDF, 9.66 MB )

Poster2 - Practice These Four Essentials - CAMToolkit2025 (PDF, 1.47 MB )

Poster2 - Practice These Four Essentials_cropmarks - CAMToolkit2025 (PDF, 1.48 MB )

Poster3 - Level Up Your Defenses - CAMToolkit2025 (PDF, 1.46 MB )

Poster3 - Level Up Your Defenses_cropmarks - CAMToolkit2025 (PDF, 1.47 MB )

 

CISA Cybersecurity Awareness Month

Contact Us

About the Cybersecurity and Infrastructure Security Agency (CISA)

As America’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, CISA leads the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.

Website: cisa.gov

Contact: contact@cisa.dhs.gov

Contact Your CISA Regional Office by Visiting: cisa.gov/about/regions 

Report a Cyber Issue: www.cisa.gov/report or mail to: contact@cisa.dhs.gov 

CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email CISA-ExternalAffairs@cisa.dhs.gov. To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.