Cybersecurity Awareness Month: Why posters don’t change behaviour (and what does)
Dan Coleby
Ever seen a “Think Before You Click” poster in the office kitchen?
I have. And I’ve also seen the same organisation pay out six figures after a phishing attack. Awareness isn’t the problem. Action is.
October is Cybersecurity Awareness Month. You’ll see the usual slogans:
- “Stay Safe Online” – the National Cyber Security Centre’s push for practical basics: strong passwords, MFA, timely updates, and reporting suspicious activity.
- “Secure our NHS for the future” – NHS Digital’s campaign built on four pillars: Recognise, Respond, Reinforce, Reflect & Recover.
- Cyber Essentials & CAF – NCSC’s frameworks for embedding resilience, not just awareness.
- Resilience first – UK‑wide messaging tied to the upcoming Cyber Security and Resilience Bill: incident reporting, supply chain risk, and continuity planning.
All good intentions. But here’s the uncomfortable truth: awareness campaigns rarely move the needle on behaviour. Why? Because they stop at telling people what to do, instead of making it easy, and expected, to do it.
The Core 4 (and why they matter)
This year’s official theme boils down to four basics:
-
Use strong passwords (or better, a password manager)
-
Turn on MFA
-
Update your software
-
Report scams
Sound familiar? It should. These are the same fundamentals we’ve been preaching for a decade. The difference between “heard it” and “doing it” is operational friction.
As with any IT strategy or change, it is only valuable if it is effectively delivered!
From Posters to Playbooks
Here’s how to turn slogans into hard controls:
-
Password managers: Stop emailing “please use a strong password” and start rolling out an enterprise-grade manager with SSO integration.
-
Phishing-resistant MFA: Not just SMS codes: Think FIDO2 keys or platform authenticators.
-
Patch SLAs: Define and enforce service-level objectives (e.g., critical updates in 7 days).
-
Report scams in one click: Add a “Report Phish” button in Outlook or Teams. Make it muscle memory.
Why this matters now
Attackers don’t care about your awareness month. They care about your weakest link. And in 2025, that link is still human behaviour. Unless, that is, you design systems that make the secure path the easy path.
Final thought:
Culture beats compliance! But only if you give culture a fighting chance. Posters don’t do that. Systems, processes and real human engagement do!
Until next time, remember: IT strategy matters!
Dan - The IT Strategy Coach
Might I be able to help you?
Click here to access my course "Unlocking AI Value - Build a Compelling Business Case".
Click here to enquire about a bespoke engagement with The IT Strategy Coach.
IT Strategy Matters
Newsletter from The IT Strategy Coach, sharing thoughts, ideas and IT strategy community insights. Sign up here! Note that you will receive an email asking you to confirm your subscription. If you don't get this, check your Junk email folder!
Responses