More
More

Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

Cyber Awareness Month 2024: Best Practices for IT Managers

This Cyber Awareness Month is the perfect time to ask: Are your security basics truly covered? Even with advanced tools in place, it’s often simple issues—like missed updates or patches—that cause the most problems.

We know you’re familiar with these challenges, and your time is stretched thin. That’s why this blog focuses on the essentials that make a real difference. By staying on top of updates, patching, and using frameworks like Cyber Essentials and the NCSC’s 10 Steps to Cyber Security, you can strengthen your foundation without overcomplicating things.

An image of a hexagon with a lock inside it. Each corner of the hexagon has a different element of cyber security practices.

Let’s make sure the basics are solid, so you can confidently tackle the bigger challenges ahead.

Dive into Equilibrium's Services 👆

Overview of The National Cyber Security Awareness Month

Cyber Security Awareness Month, held every October, is a great reminder of just how important it is to protect our digital world. It’s a global effort to raise awareness about cyber-threats and give businesses and individuals the tools and knowledge they need to stay safe online.

This year’s theme, “Secure Our World,” is all about making Cyber Security accessible to everyone. It’s a call to action for organisations to adopt simple but effective measures that reduce risk and enhance security.

So why is Cyber Security Awareness Month 2024 so crucial for security leaders?

  • Growing challenges for security leaders: With threats becoming more sophisticated and frequent—especially with the rise of AI, deep fakes, and other advanced tactics—security leaders are under increasing pressure.
  • Reassess the basics: Cyber Awareness Month is the perfect time to review core security measures that can slip amid the demands of digital transformation and competing priorities.
  • Focused time for improvement: This focused month provides a valuable opportunity to step back from daily demands, identify gaps, and implement strategies that can make a meaningful impact on overall security.

Now is the perfect time to assess your current defences and make the necessary adjustments to safeguard your organisation.

Book Your Free 30 minute consultation 👆

The Role of Cyber Essentials in Cyber Security

You’ve probably heard of Cyber Essentials, or maybe your business already has the certification. But if you’re not familiar, Cyber Essentials is a government-backed scheme designed to help businesses put fundamental Cyber Security controls in place. It’s a great focus for Cyber Awareness Month 2024, offering straightforward, practical steps to protect against common threats like phishing, ransomware, and malware.

Core Controls of IASME Cyber Essentials Basic and Cyber Essentials Plus:

Even with solid security in place, taking a moment for a cyber hygiene activity can help ensure you’re not overlooking the basics. Here’s a set of practical actions based on the core controls of the Cyber Essentials certification:

  • User Access Control Audit: Even with established controls, it’s worth periodically reviewing access to ensure everything is still aligned with current needs. Confirm that all users are authenticated with unique credentials, and two-factor authentication is applied where feasible. It’s also a good opportunity to clean up any dormant accounts or excess privileges that are no longer necessary. Limiting administrative accounts strictly to admin tasks, rather than everyday use, helps maintain control. Regular reviews help keep access streamlined and secure.
  • Firewall Rule Review: Review your firewall rules—it’s easy for them to accumulate unnecessary permissions over time. Ensure default admin passwords are changed, and disable remote admin access unless absolutely necessary. If remote access is a must, lock it down with two-factor authentication or an IP whitelist. Block any unauthenticated inbound connections by default, and make sure all rules are properly documented with a clear business need. Clean up any rules that no longer serve a purpose, and don’t forget to apply host-based firewalls on devices used on untrusted networks like public Wi-Fi.
  • Check Device Configuration: Review your configuration process. Remove or disable any unnecessary software or features that could introduce vulnerabilities and ensure default passwords are replaced. Regularly update configurations and make sure everything is aligned with your security policies to maintain a solid security posture.
  • Run Malware Protection Scans: Ensure your malware protection is up to date and configured to automatically scan files when they are accessed, downloaded, or opened—especially from network folders. Make sure web pages are scanned when accessed, and that connections to malicious websites are blocked. Update malware signatures daily to defend against the latest threats.
  • Patching Review: Make sure your patch management process is up to speed. All software and devices should be licensed and supported, with any unsupported software removed from the environment. Critical security patches need attention within 14 days, especially if they address vulnerabilities classified as 'high risk' or 'critical,' or those with a CVSS v3 score of 7 or higher—even when specific vulnerability details aren’t provided by the vendor. Regular patching ensures your systems aren’t left exposed to preventable threats.

The latest statistics from IASME show just how beneficial having a Cyber Essentials or Cyber Essentials Plus certification can be. The numbers speak for themselves:

  • 92% of organisations with Cyber Essentials are less likely to make a claim on cyber insurance than those without it.
  • A 23% increase in Cyber Essentials certificates was issued since last year.
  • 91% of businesses plan to recertify next year.
  • 40% of smaller organisations implemented the controls for the first time. 
  • The failure rate for Cyber Essentials dropped to just 2%, continuing a three-year decline.

Whilst Cyber Essentials establishes the basics of security which all businesses should follow, Cyber Essentials is especially valuable for SME’s. It offers an affordable, effective way to begin their Cyber Security journey without needing extensive resources.

Discover More About Cyber Essentials👆

NCSC’s Guidance for The 10 Steps to Cyber Security for Larger Firms

NCSC’s Guidance for The 10 Steps to Cyber Security for Larger Firms

The National Cyber Security Centre (NCSC UK) created the 10 Steps to Cyber Security as a practical framework to help larger organisations boost their cyber defences. While these steps are widely used by enterprise-level businesses, SMEs can also benefit by adopting them to strengthen their Cyber Security.

Why Are the NCSC 10 Steps Important for Cyber Awareness Month?

Cyber Awareness Month is the perfect time to revisit the 10 Steps to Cyber Security. These steps offer a clear roadmap to identify, manage, and reduce cyber risks before they escalate into critical issues.

Here’s a quick breakdown of the 10 steps:

  • 1. Risk Management: Regularly assess and manage cyber risks, identifying vulnerabilities and understanding how they might impact your business.
  • 2. Engagement and Training: Get your staff involved in Cyber Security, providing ongoing training so they can recognise and respond to threats.
  • 3. Asset Management: Keep track of key assets like hardware, software, and data, ensuring they’re properly protected.
  • 4. Architecture and Configuration: Configure your systems with security in mind to minimise vulnerabilities.
  • 5. Vulnerability Management: Regularly scan for vulnerabilities and apply patches to fix any security flaws.
  • 6. Identity and Access Management: Control who can access your systems and data, limiting it to authorised personnel.
  • 7. Data Security: Encrypt and securely store sensitive data to avoid breaches that could lead to serious consequences.
  • 8. Logging and Monitoring: Keep an eye on your network for unusual activity, so you can spot and respond to potential breaches early.
  • 9. Incident Management: Have a plan in place to handle cyber incidents, minimising downtime and damage.
  • 10. Supply Chain Security: Ensure third-party suppliers follow security best practices to avoid vulnerabilities in your supply chain.

Who Are the 10 Steps Useful For?

These 10 steps are ideal for larger organisations with more complex IT systems that need a strong, layered defence. However, SMEs can also benefit by adopting these steps to improve their Cyber Security. If you’re a smaller business, the NCSC’s Small Business Guide offers more practical advice tailored to limited resources.

Image of a steadily increasing arrow meeting a target at the top. On top of the arrow is four people from management who are climbing to the target

How Can the 10 Steps Improve Security?

By implementing the 10 Steps to Cyber Security, businesses can:

  • Build a layered defence strategy that addresses vulnerabilities across the organisation.
  • Take a proactive stance by identifying risks before they become serious threats.
  • Improve detection, response, and recovery from cyber incidents.
  • Strengthen overall security through structured defence measures.
  • Minimise damage during a cyber-attack, reducing downtime and business impact.

Cyber Security Awareness Training for Employees

When it comes to Cyber Security, employees are your first line of defence, and you already know how important cyber awareness training is. The challenge, however, is keeping teams engaged and ensuring that training leads to measurable improvements. 

Generic, one-off training sessions often fall flat, so it’s about making training tailored, continuous, and something your team actually connects with. By focusing on relevance and regular touchpoints, you can boost engagement and track real progress—not just tick a compliance box.

  • So Why Does Generic Cyber Awareness Training Fail?

The reality is, out-of-the-box training doesn’t stick. A recent study shows that Cyber Awareness training is most effective when done every four months. After this period, employees were still sharp and able to spot phishing emails. However, by the six-month mark, those skills started to fade, and their performance dropped.

Generic sessions may cover the basics, but without relevance to daily tasks, employees are unlikely to retain the information or apply it effectively.

If you would like to know more information about this, we have an in-depth blog which goes into detail about the 6 key ways Cyber Awareness Training fails for most organisations.

  • The Importance of Tailored, Continuous Training

To make Cyber Security training truly effective, it needs to be tailored to your organisation’s needs. Continuous, role-specific training helps employees understand the threats they are most likely to encounter and how to respond. By engaging employees with real-world examples and keeping the training ongoing, you ensure that Cyber Security remains top-of-mind.

image of someone giving training with a spreadsheet behind him and briefcase by him

Phishing Simulations and Hands-On Activities:

As a security leader, you know cyber awareness training is essential—but Cyber Awareness Month is a chance to push it further. Sure, you’re running phishing simulations, but are they targeting your highest risk teams and today’s threats?

If your accounts team is vulnerable to push payment scams, a generic phishing test won’t cut it.

  • Tailored simulations: Instead, run a simulation focused on that specific threat, followed by role-specific training to help them recognise and respond effectively.
  • QR code attacks: With QR code phishing on the rise, try a simulation around this growing attack. Follow it up with training that explains how these scams work and ties into emerging risks like AI-generated threats.
  • Relevant knowledge: Shifting from generic exercises to targeted, real-world simulations not only keeps your team engaged but prepares them to deal with the specific threats your business is most likely to face.

Regular Phishing Drills:

Regular phishing drills are key to your security strategy, but there’s a fine line between testing awareness and creating a blame culture. If your team feels tricked or judged for mistakes, it can lead to disengagement and frustration. Sound familiar? The last thing you want is a team afraid of failure—this undermines the entire purpose of training.

So, how do you empower your team instead? Here’s how:

  • Avoid Naming and Shaming: When someone falls for a phishing simulation, treat it as a chance to learn, not punish. Encourage open conversations about what went wrong and how to prevent it in the future. Make it clear that the focus is on continuous improvement, not blaming.
  • Positive Reinforcement: Recognise the progress your team is making. Share phishing awareness improvements during company meetings and highlight how their efforts are strengthening the organisation’s security. Positive feedback reinforces that they’re making a real difference.
  • Focus on Learning, Not Testing: Make it clear that phishing drills are about building awareness, not catching people out. Provide immediate feedback after simulations, followed by targeted resources to help employees grow their skills. This keeps the focus on learning rather than testing.
  • Regular Drills, Gradual Challenge: Run phishing simulations regularly, but start with simpler scenarios and gradually increase the difficulty. This keeps your team engaged and challenged, without overwhelming them as they grow in awareness.

By focusing on learning, positive reinforcement, and steady improvement, you’ll create a culture where employees feel confident engaging with security initiatives and empowered to take an active role in protecting your organisation.

Take A Look At Our Cyber Awareness Training 👆

Do Your Password Policies Need an Audit?

You likely have strong password policies in place, but are they being followed consistently?

Consider:

  • 1. Review Password Policies
  • Check your password change policies: Review how often password changes are enforced for critical systems. For sensitive accounts with admin access, consider whether the current frequency is still adequate or needs tightening.

  • Does your password policy need a refresh? It might be time to remind your team about secure practices, like using the “three random words” method for strong, memorable passwords, and avoiding obvious choices like names or birthdays. Even if this was covered during onboarding, a quick reminder can reinforce good habits. If not already in place, consider implementing a password manager to securely generate and store unique passwords across platforms.

Is 2FA in Place for All Your Critical Accounts?

  • 2. Ensure 2-Step Verification (2SV) is Mandatory

You’re likely using 2SV, but it’s a good time for a quick audit to ensure it’s mandatory across all accounts, particularly for high-risk users or sensitive applications. 

New apps or users can sometimes slip through the cracks, so ask yourself: Is your website enforcing 2SV for new marketing team members? Is your CRM covered? When things get busy, processes can easily be missed— now’s the time to double-check.

Enhancing Email Security

It’s no secret that email remains one of the top channels for cyber-attacks, so securing business email accounts is likely high on your agenda. You’re probably already using many standard practices, but Cyber Awareness Month is the perfect time to review and tighten up any areas that might need attention. Here are some practical steps to further strengthen your email security:

  • 3. Implement or Audit Anti-Spoofing Controls

Do you have anti-spoofing measures like DMARC, SPF, and DKIM in place? These tools ensure emails from your domain are legitimate and help prevent attackers from spoofing your domain to target employees, clients, or partners. But it’s not just about setting them up—active monitoring is key to ensuring they work as intended. This month is an ideal time to audit these controls and make sure everything is functioning as it should.

  • 4. Reassess Phishing Awareness Training

Phishing training is likely part of your programme, but now is a good time to ensure it covers email security best practices in a practical, actionable way. Key areas to review:

  • Email habits: Encourage simple daily habits like verifying the sender’s email address before responding, avoiding public Wi-Fi when accessing company emails, and never clicking on “urgent” requests for sensitive data without verifying the source.
  • Practical Tip: Track how often employees report suspicious emails. If the numbers are low, send a quick reminder explaining how to report suspicious emails and why it’s crucial to stay alert.
Uncover More about our Email Phishing Simulation Services 👆

Key Takeaways for Cyber Security Month

Cyber Awareness Month is the perfect time to take a breather and look over your Cyber Security strategy. We know your schedule is packed and keeping on top of everything can feel overwhelming. But sometimes, the most effective changes are hiding in plain sight—the security basics.

Cyber Security isn’t about doing everything at once—it’s about making consistent, manageable improvements that protect your business. If you’re unsure whether you’ve got all the bases covered or need support implementing these steps, we’re here to help.

Equilibrium Security can assess your current security posture and guide you through the improvements, so you stay one step ahead of evolving threats. Don’t wait for a breach to uncover your vulnerabilities—get in touch with us today at 0121 663 0055 or email enquiries@equilibrium-security.co.uk

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.
Our services
Book an expert call

About the author

Lucy Lawson is a Marketing Professional at Equilibrium Security, skilled in transforming complex Cyber Security challenges into clear, actionable advice. Her content is designed to guide your business in making informed Cyber Security decisions which follow best practice, ensuring your digital assets remain safe and secure.
Lucy Lawson
Marketing Assistant

Latest posts