Spotlight: 2025 Cybersecurity Awareness Month Best Practices
WebCE Staff
By
October 1, 2025
Happy Cybersecurity Awareness Month! Every October, the Cybersecurity & Infrastructure Security Agency (CISA) leads this national effort to help organizations and individuals combat the rising number of digital threats. The initiative's main priority is to promote cybersecurity best practices to reduce what has been a rapidly rising crime.
In that spirit, we're sharing the most essential cybersecurity best practices to safeguard your data, your clients, and your future.
Cybersecurity Best Practices
This year, CISA lists the following cybersecurity best practices as the essential foundation for any organization or individual looking to protect their sensitive information from criminals.
Train Employees to Spot Phishing
Phishing was the number one reported cybercrime in 2024 to the FBI, a year that saw reported losses from cyberattacks increase 33% from 2023. Training employees to recognize and report phishing is the first line of defense for every organization. A single link or attachment can compromise an entire system, making every untrained employee a gap in your cyber defense. Not to mention phishing attempts grow more sophisticated each year. This is why CISA recommends keeping your entire staff updated on the latest cyber threats with cybersecurity training.
Phishing & Spearphishing
Phishing and spearphishing impersonate credible sources in a fraudulent attempt to obtain sensitive information.
Phishing – a message from a seemingly trusted entity, such as your bank or employer, asking to click a link, download an attachment, or provide information, often with a strong sense of urgency or threat.
Spearphishing – a targeted form of phishing, personalized with specific information about the victim or organization, often gathered from public sources like LinkedIn, company websites, or social media.
These attacks attempt to evoke an emotional response from their target, so the victim clicks on a link, downloads an attachment, or provides information or even money before looking for signs of a scam.
How to Identify Phishing Attacks
Before clicking or downloading anything, look for signs to ensure the message is not a phishing email.
Verify the Source. Look for a misspelled or unfamiliar email address. For example, “support@rnicrosoft.com,” where the “m” in “microsoft” is actually an “r” and “n” together; or a “PayPal” email sent from a “@gmail.com” email address.
Inspect the URL. Don’t just rely on the linked text, hover over the link to see the destination URL.
Review the email for errors. Spelling and grammar errors are red flags as well as information that seems too generic.
Resist urgency, fear, & pressure. Criminals don’t want you to notice any of the signs of phishing. They want you to act before thinking. That’s why these attacks often rely on emotional reactions, such as “Your account will be suspended.” or “Immediate action required!”
In short, pause to look for signs of an attack, then make an informed decision.
Require Strong Passwords
Requiring strong passwords is a simple but crucial step to blocking criminals from accessing your data through guessing or automated attacks.
What Makes a Password Strong?
CISA recommends including ALL THREE of the following to create a strong password:
At least 16 characters long.
The longer the password, the more difficult it is to guess.
Make it random.
Passwords with identifying information are some of the most easily guessed passwords. To combat this, create a random password. Here are two ways to make it random:
A random string of mixed-case letters, numbers, and symbols:
XYweyfd8*&juD!dsaa9
Euv1$PjE82%QbLLtra98t
A memorable phrase of 4 to 7 unrelated words, also called a “passphrase”:
Good: HorsePurpleHatRun
Great: HorsePurpleHatRunBay
Best: Horse Purple Hat Run Bay Lifting
Never Reuse a Password.
Never use the same password for multiple accounts. CISA recommends a different strong password for each account. For example:
Bank: t4grt8cPf50vgL2
Email: scarf back freehand facility basketball
Social media: i298xN0Lk1jd%n
Complex, random passwords can be difficult to remember. This is exactly why CISA recommends a password manager. Password managers save all your passwords under a master password, often paired with multifactor authentication, for an added layer of security. They can also automatically fill in logins, so you don’t have to type your lengthy passwords, and they can even generate and save complex passwords for you.
Use Multifactor Authentication
Multifactor authentication (MFA) offers an additional layer of security in addition to a strong password. MFA adds an additional login requirement for each account on a network and acts as a failsafe. For example, after entering your password, an MFA screen will appear asking for a one-time password only valid for a short window of time sent via text message, email, or on a password manager app. If a strong password is compromised, the criminal will still be locked out because of they lack access to the MFA information. An MFA request that you did not initiate could be a sign of an attempted cyberattack.
Keep All Software Updated
Outdated software can contain exploitable flaws. Most updates to operating systems and other widely deployed software are security patches or maintenance updates. Vulnerabilities are discovered all the time and are addressed with software updates. In other words, anyone with outdated software is vulnerable to a preventable cyberattack.
Online Cybersecurity Awareness Training Courses for Employees
From how those in your organization respond to emails to keeping all software up to date, everyone plays a part in maintaining a strong cyber defense. Get online cybersecurity awareness training courses that help your organization understand how to best protect your data, your clients, and your future.
With threats constantly evolving, ensure everyone knows the signs of a cyberattack with our Cybersecurity Awareness course.
Learn how to assess your cyber risk and build your own “Human Firewall” with our Cybersecurity: Protecting Your Clients and Your Practice course.
As attacks become more sophisticated and creative, the key to strong cybersecurity lies in creating and maintaining a human firewall acting as vigilant defenders of your organization’s digital and physical assets.