In an era of ever-present cyber threats, having a cyber aware workforce and customer base is critical. 2025 marks the 22nd year of Cybersecurity Awareness Month, a collaboration between the government and private sectors to raise awareness about digital security. The National Cybersecurity Alliance and Cybersecurity Infrastructure Agency (CISA) work together to create resources that inform and encourage organizations to talk to their employees about staying safe online and protecting themselves against malicious cyber actors.
Ensure your customers, members, employees or colleagues stay updated with the latest cybersecurity trends and best practices. This blog unpacks key behaviors to increase your cybersecurity awareness and stay safe online.
The Key to Your Account: How to Create a Strong Password—Until You Don’t Need One Anymore
Passwords are on their way out, and have been for years. As more organizations adopt passkeys and other password-less authentication mechanisms, the days of remembering dozens of complex logins are numbered. But until password-less access is universal, strong passwords remain one of the most important tools for protecting your digital identity.
In the meantime, taking the time to develop an effective password strategy during Cybersecurity Awareness Month will benefit you year-round. In today’s digital world, passwords are often challenging, especially given the sheer number of them the average consumer must keep up with. In fact, the National Cybersecurity Alliance found that only 33% of individuals create unique passwords for all accounts, revealing the need for continued education on why unique passwords are important.
Although it seems everyone is continually looking for a password shortcut or workaround, complex, long passwords are critical to securing your account.
Consider making your passwords at least 15 characters and creating more complex passwords by using a combination of uppercase letters, lowercase letters, numbers and symbols. Password crackers tend to favor symbols on number keys, so whenever possible, use a symbol that isn’t on the number key, such as a colon, semi-colon or comma, to further boost your password strength.
To maximize your digital security, use strong, unique passwords for every account. When creating passwords for different accounts, here are a few strategies to consider:
Building a Seed-Based Password
One approach for creating passwords is building a seed password and adapting it for each account. The seed could be a form of your birthday, such as Au71985! or it could include the year you set the password, e.g., 2025Yay! The key is to build uniqueness around the seed. You could also build uniqueness around the password’s purpose, like using <Amzn> for your Amazon account or [1NBRocks!] for your account at First National Bank.
You can also add a reminder of when the password was set to the seed password, such as SEP|23 or 20.09.23 for September 2023. Your final password for the example above would be Au71985!<Amzn>SEP|23. The key is to make the beginning and the end something you can remember based on the application, and it would also change any time you change the password.
Creating a Passphrase
Another approach when creating passwords is to use a passphrase or short sentence such as ‘I like sunny days!7’. The symbol and number at the end add complexity. To create a passphrase, you can also use the first letter of each word in the lyrics of a song. For example, “Is this the real life? Is this just fantasy?” would become 1ttrl? 1tjf?. In this example, the number one used as the letter “I” increases complexity.
Take the time to develop an effective password strategy to stay safe online.
Secure Your Credentials with a Password Manager
Using a password manager also helps mitigate your risk of unauthorized account access. These applications allow you to securely store and manage your passwords for online accounts. Password managers can also track if you’re reusing the same passwords across accounts or if one of your passwords is involved in a known data breach.
For financial institutions and other organizations that deal with sensitive information, it’s critical to conduct due diligence on any software or application before implementation, including your password manager. If you’re thinking of using a password manager for your personal accounts, here are some questions to consider:
- What’s the reputation of the password manager?
- How long has the password manager been around?
- Have they had a major data breach?
- Do they have access to your passwords?
- How is your data being encrypted?
Answering these questions before choosing a password manager can help you determine a good fit. When developing your password creation and management strategy, the best path is to find a password scheme that works for you and leverage a trusted password manager that meets your needs.
Why Use Multi-Factor Authentication?
Since today’s consumers have multiple online accounts to keep up with, it’s no surprise multi-factor authentication (MFA) is one of the four key behaviors for Cybersecurity Awareness Month. MFA shouldn’t be considered optional on critical accounts, as it significantly reduces your risk of account takeover and strengthens security. Unfortunately, according to a 2025 report from NCA and CybSafe, MFA adoption remains inconsistent. Only 17% of Gen Z respondents reported using MFA regularly, versus 49% of Baby Boomers.
MFA requires an additional piece of information when logging into an account. One-time codes sent via text message or email are a common option and can be used if there is no alternative, but an authenticator app is a more secure choice. Google, Microsoft and others have authentication applications that cater to this purpose.
While activating MFA adds an extra step to access your account, it could make the difference between a minor headache and a major setback. If you avoided setting up MFA on your bank account because of the added friction when logging in, and your account is breached which results in stolen funds or a stolen identity, you’ll probably wish you had taken the time to set up that extra layer of protection.
Mitigating Vulnerabilities by Updating Software
Before discussing the need to keep software up-to-date, let’s first discuss the importance of regularly reviewing the software on your devices. Take inventory of any software installed on your devices and uninstall any that you don’t need. Limiting the amount of software on a device to only what’s necessary mitigates your risk of vulnerabilities. After all, hackers can’t compromise something that’s not there. Further, institutions should consider whitelisting applications, meaning that employees can only install already approved software or must obtain special approval.
As tempting as it is to hit the “update later” button, don’t wait when prompted to install a security update. Better yet, enable automatic updates. Bad actors regularly seek out and exploit vulnerabilities, and many software updates contain important security fixes. When you do complete a software update, be sure to confirm that the old version was uninstalled. Older software sometimes leaves artifacts on a system even after an update is completed, which means the vulnerabilities could still exist.
Additionally, make sure you’re giving your software only necessary permissions. For example, if you install an app on your phone that doesn’t require camera or microphone use, don’t permit it to use them. As you regularly review your software, look for any unsupported software on your device. Software that’s abandoned or deprecated by its vendor no longer receives security patches—making it a potential entry point for attackers. Microsoft notes that unsupported legacy applications are often the “silent culprits” behind successful cyberattacks.
If your device can’t run up-to-date supported software due to hardware limitations, that’s a good signal that it’s time to replace it.
One timely example: support for Windows 10 has ended, as of October 14, 2025. If you haven’t already, update your operating system to Windows 11 to ensure you continue receiving vital security patches.
Be sure to regularly take inventory of any software on your devices and uninstall any that you don’t need.
How to Recognize and Report Phishing
Modern phishing schemes are increasingly difficult to detect. The best general rule for phishing detection is simple: trust your gut. If something feels off, it probably is. If you receive an unexpected message that prompts you to urgently log in or open an encrypted document, exercise caution. Pause and verify. Validate the message with the sender either over the phone or in person—do not simply reply to the email. While good email filters and phishing prevention tools can block many threats, encrypted documents often bypass them. Cyber criminals increasingly use encrypted documents to appear official and secure, so it’s important to stay cautious.
Cybersecurity is an arms race. As defenses evolve alongside technology, fraudsters adapt their tactics to exploit new tools and evade detection. One of the latest trends is QR-code phishing (or “quishing”), where attackers hide malicious links in QR codes on emails, flyers, even restaurant menus. If you didn’t expect it, don’t scan it.
AI has become a powerful weapon for fraudsters as much as it has a shield for businesses. Fraudsters now use AI to craft convincing, personalized phishing emails at scale, making traditional cues like poor grammar or awkward phrasing less reliable. The best defense against phishing and other social engineering schemes is vigilance. Always be on the lookout for red flags and question anything unusual.
Perhaps even more concerning is the rise of AI voice impersonation. With just a few seconds of recorded speech, fraudsters can clone a person’s voice and produce realistic speech to request money, credentials, or sensitive access. If you get a surprising voice call or voicemail that sounds like a colleague or family member, verify through a known number or trusted channel before acting.
Even the most vigilant users can slip up occasionally, so it’s important to have multiple layers of defense in place. That’s where controls like MFA or cybersecurity monitoring are essential. If you think you’re a victim of phishing, contact your IT department immediately.
What’s the Difference between Spam and Phishing?
While spam and phishing can be connected, a cybersecurity-savvy user should know the difference between them. Spam is an unsolicited message often sent to a bulk mailing list that contains an advertisement, also known as junk mail. While annoying, spam does not always have malicious intent, but it can. Spam is also easier to identify than phishing due to generic greetings, typos or unrealistic offers.
Phishing, on the other hand, entails an email or other message from a fraudster that appears to come from a legitimate source seeking personal information. In other words, fraudsters drop a hook in the water in the form of a seemingly legitimate email containing an urgent call to action and hope that someone bites.
The Secret Sauce for Staying Safe Online
Now that we’ve explored key behaviors for Cybersecurity Awareness Month and beyond, it’s critical to implement these best practices to maximize security. If you’re looking for an easy way to keep these behaviors top of mind, here’s the “secret SAUCE” for staying safe online:
- Security: Secure yourself and your data. Avoid any untrustworthy websites or links and always regularly backup your data. Maintain good security practices like using passkeys, authenticator applications, unique passwords and a password manager.
- Authentication: As previously mentioned, creating strong passwords and enabling MFA everywhere you can helps strengthen your security.
- Updates: Do not use out-of-date software or systems. If your phone or operating system (like Windows) can no longer receive updates, it’s time to get a new one. Every application you use should be set to receive automatic security updates.
- Cybersmart: Know what the bad guys are doing and stay vigilant. Phishing attempts are growing more sophisticated, so don’t click on links or attachments from unexpected emails, scan sketchy QR codes, and be mindful of what you say on the phone.
- Encryption: Use encryption on your home router and WPA3 if available. Always use a VPN instead of public Wi-Fi, especially if logging into your bank accounts or accessing other sensitive information.
Prioritizing Your Cybersecurity Awareness
Though Cybersecurity Awareness Month may only last 31 days, it pays to be cyber smart all year long. Familiarizing yourself and others with the behaviors discussed in this blog will improve your approach to cybersecurity and mitigate your risk of becoming a victim. And if you’re part of a community financial institution, awareness doesn’t stop with you. Sharing these same tips with your customers and community can help protect everyone.
To learn more about strengthening your institution’s cybersecurity posture, download our white paper.
GET YOUR COPY
Steve Sanders, Chief Risk Officer and Chief Information Security Officer
In his role, Steve leads enterprise risk management and other key components of CSI’s corporate compliance program, including privacy and business continuity. He also oversees threat and vulnerability management as well as information security strategy and awareness programs. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight.