Every October, millions of people worldwide unite for a critical mission: strengthening our collective defense against cyber threats. Cybersecurity Awareness Month 2025 marks its 22nd year with an urgent theme: Building a Cyber Strong America. The goal is to emphasize the vital role of critical infrastructure, small and medium businesses, and government entities in protecting the systems and services that sustain our daily lives.
In the first five weeks of 2025 alone, ransomware incidents in the U.S. increased by 149% year over year, with 378 attacks compared to 152 during the same period in 2024. Meanwhile, voice phishing attacks surged 442% between the first and second halves of 2024, driven by AI-generated phishing and impersonation tactics.
While these threats impact organizations of all sizes, small and medium-sized businesses (SMB) face unique challenges: limited IT resources, smaller budgets, and the mistaken belief that they’re “too small” to be targeted. In reality, cybercriminals often prefer SMBs precisely because they typically have weaker defenses than enterprise organizations.
What is cybersecurity awareness month?
Cybersecurity Awareness Month has been celebrated every October since 2004, when the U.S. Department of Homeland Security and the National Cybersecurity Alliance joined forces to raise public awareness about cybersecurity. What began as a modest initiative has evolved into a global movement spanning governments, businesses, and individuals committed to building a safer digital world.
Led by the Cybersecurity and Infrastructure Security Agency (CISA), this year’s campaign focuses on government entities and small and medium businesses that are vital to protecting the systems and services that sustain us every day and make America a great place to live and do business: the nation’s critical infrastructure.
The campaign provides free resources, toolkits, and educational materials designed to help everyone, from individual users and SMBs to large corporations, strengthen their cybersecurity posture.
Building a Cyber Strong America
The 2025 theme, “Building a Cyber Strong America,” highlights the need to strengthen the country’s infrastructure against cyber threats, ensuring resilience and security. This focus acknowledges a fundamental reality: much of America’s critical infrastructure is owned and operated by state, local, tribal, and territorial governments as well as private companies.Â
Additionally, vendors, suppliers, and other parts of the supply chain that support or connect to critical infrastructure play a critical cybersecurity role. For SMBs, this theme is particularly relevant. You may not think of your business as “critical infrastructure,” but if you’re a supplier, vendor, or service provider to larger organizations, you’re part of that infrastructure chain. A breach at your company could cascade into much larger systems.
The AI-powered cyberthreat landscape
While AI offers tremendous cybersecurity capabilities, cybercriminals are weaponizing the same technology to launch more sophisticated attacks. Cybercriminals are using artificial intelligence to create deepfake videos, clone voices, and generate convincing phishing emails that bypass traditional detection methods.
Deepfake fraud cases have financial losses exceeding $200 million in Q1 2025 alone. The accessibility of this technology has democratized fraud: voice cloning now requires just 20-30 seconds of audio, while convincing video deepfakes can be created in minutes using freely available software.
A clear example of this threat happened as early as January 2024, when an employee at engineering firm Arup authorized 15 transfers totaling $25.5 million during a video call. Only weeks later did the devastating truth emerge: every person on that call, except the victim, was an AI-generated deepfake.
How to prevent AI cyberthreats
Organizations must evolve their defenses to address these AI-powered threats:
- Train employees to recognize not just email phishing, but voice and video deepfakes
- Implement out-of-band verification for high-stakes requests, especially financial transactions
- Establish protocols that require multiple approvals for sensitive actions
- Use AI-powered security tools that can detect deepfakes and synthetic media
- Foster a culture where questioning suspicious requests is encouraged, not discouraged
Simple steps that can improve your business's cybersecurity
Organizations must take a comprehensive approach to cybersecurity to ensure compliance, protect intellectual property, and guarantee business continuity. Beyond employee training and incident response planning, implementing fundamental security controls creates a robust defense-in-depth strategy.
Cybersecurity Awareness:
Effective Steps to Protect Your Business
Implement strong passwords and multi-factor authentication (MFA)
Implementation difficulty: LowÂ
Impact: High
Weak credentials remain the #1 entry point for attackers. When an employee uses “Company2025!” across multiple sites, a breach at any of those sites compromises your business systems. Multi-factor authentication (MFA) requires users to verify their identity with two or more factors: something they know (password), something they have (phone, security key), or something they are (fingerprint). Even if attackers steal passwords through phishing, they can’t access your systems without that second factor.
Organizations should enforce password policies requiring:
- Minimum 12-character passwords with complexity requirements.
- Password managers for all employees to prevent reuse.
- Regular password rotation for privileged accounts.
- Multi-factor authentication, or at least 2FA, on all systems, especially remote access, email, and administrative accounts.
Deploy endpoint detection and response (EDR)
Implementation difficulty: Medium
Impact: Very High
Traditional antivirus works like a wanted poster – it only catches threats it already knows about. Endpoint detection and response (EDR) is smarter: it watches how programs behave on your computers, phones, and servers, flagging suspicious activities even from never-before-seen threats.Â
For example, if a document suddenly starts encrypting thousands of files (ransomware behavior), EDR detects this pattern and automatically isolates that device before the infection spreads to your entire network.
To deploy EDR effectively in your organization:
- Choose a solution with managed detection and response (MDR) if you lack 24/7 security staff.
- Start with critical systems (servers, admin workstations) before rolling out to all devices.
- Configure automatic isolation rules for ransomware behaviors.
- Enable real-time alerting to your IT team or security provider.
- Test response procedures quarterly with simulated attacks.
For SMBs: Modern EDR solutions designed for small businesses include managed services, meaning security experts monitor your systems for you.
Implement network segmentation
Implementation difficulty: Medium
Impact: High
Network segmentation involves dividing a network into isolated segments based on sensitivity and business needs. This network security strategy limits the potential impact of security breaches by preventing attackers from moving freely across your entire network.
Think of network segmentation like the watertight compartments on a ship. If one compartment floods, sealed doors prevent water from sinking the entire vessel. Similarly, dividing your network into isolated segments can prevent security breaches.Â
Without segmentation, an attacker who compromises one employee’s laptop can “move laterally”, exploring your entire network, accessing file servers, financial systems, and customer databases.
Organizations should segment their networks to:
- Isolate critical systems and sensitive data from general user networks.
- Separate guest WiFi from internal corporate networks.
- Create dedicated segments for IoT devices and operational technology.
- Implement separate zones for development, testing, and production environments.
- Segment by department or function to enforce the principle of least privilege.
Conduct employee training sessions
Implementation difficulty: LowÂ
Impact: Very High
To comply with data privacy regulations, it is critical for businesses and organizations to cultivate a cyber-risk-aware culture through comprehensive employee training on cybersecurity best practices. This security-aware culture is developed by conducting regular cybersecurity awareness training, teaching employees to identify phishing attempts, establishing clear security protocols, and encouraging prompt incident reporting.
Effective security awareness training should be:
- Engaging: Use real-world examples and interactive content rather than dry presentations.
- Relevant: Tailor content to the specific threats your industry and organization face, including AI-powered attacks and deepfakes.
- Continuous: Provide regular refreshers and updates as threats evolve.
- Measurable: Track participation and comprehension to identify gaps.
Consider leveraging free resources from CISA’s Cybersecurity Awareness Month toolkit, which provides ready-made presentations, videos, and educational materials.
Pro tip: Training must include recognition of deepfake audio and video, not just traditional email phishing.
Run phishing simulations
Implementation difficulty: MediumÂ
Impact: Very High
Phishing simulations send realistic (but harmless) phishing emails to employees, allowing them to practice identifying threats without real consequences.
When conducting phishing simulations:
- Start with obvious examples and gradually increase difficulty.
- Include AI-generated phishing examples to prepare employees for modern threats.
- Focus on education rather than punishment when employees click.
- Provide immediate feedback explaining what made the email suspicious.
- Track improvement over time to measure program effectiveness.
- Share results organization-wide to foster collective learning.
Consider incorporating vishing (voice phishing) and deepfake simulations into your training program.
Review and update your incident response plan
Implementation difficulty: LowÂ
Impact: High
Despite best efforts, security incidents can still occur. The difference between a minor disruption and a catastrophic breach often comes down to how quickly and effectively an organization responds.
Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.
Your Incident Response Plan should include:
- Clear roles and responsibilities, with a designated incident commander, technical lead, and communications lead.
- Communication protocols that define escalation paths and notification procedures for stakeholders.
- Document technical procedures step-by-step containment, eradication, and recovery steps.
- Legal and regulatory considerations, including breach notification requirements and legal contact information.
- Recovery procedures with established priorities for restoring systems and validating data integrity.
As additional security measures, you can enable system logging on your systems to detect suspicious activity, back up data to speed recovery when incidents occur, and encrypt sensitive information to render stolen data useless.
ProvenData’s incident response services include incident response planning and 24/7 emergency response capabilities to help organizations prepare for and respond to security incidents effectively.
Take action and promote cybersecurity awareness
Cybersecurity Awareness Month serves as an important annual reminder, but true security requires year-round commitment. Talk with leadership and IT about adopting cybersecurity policies that include all of CISA’s best practices. Include your vendors and partners in the conversation so your whole supply chain is more secure.
Cybercriminals often choose the path of least resistance. By implementing basic security measures and fostering a culture of awareness, you significantly reduce your risk of becoming another statistic.
This October, commit to building a cyber-strong America. The digital threats are real and evolving, but so is our collective power to defend against them. Whether you’re protecting critical infrastructure, running a small business, or simply safeguarding your personal data, your actions matter.
