A successful cybersecurity awareness campaign requires intentional planning and thoughtful communication with stakeholders across the organization. The three ideas presented in this article can help you create an awareness calendar using a lightweight risk assessment method.
October means baseball playoffs, last-minute scrambling for Halloween costumes, and yes—Cybersecurity Awareness Month, a global initiative aimed at raising awareness about online safety and empowering organizations to protect themselves against cybercrime. This year, the National Cybersecurity Alliance is promoting the theme "Stay Safe Online" by focusing on the Core 4: using strong passwords and a password manager, turning on multifactor authentication, recognizing and reporting scams, and keeping software up to date.
In higher education, cyberattacks are on the rise. Institutions face an average of 4,356 attacks per week, and bad actors are infiltrating campus networks to steal data and disrupt operations.Footnote1 These attacks can cost colleges and universities millions in lost productivity and ransom payments.
That's the bad news. The good news is that Cybersecurity Awareness Month reminds everyone in the higher education community of our shared responsibility to help each other stay safe online.
Cybersecurity Awareness Month is about more than setting up firewalls, penetration testing behind the scenes, and checking the required compliance boxes. It's also about inspiring higher education users to rethink how they interact online, since individual choices play a critical role in protecting institutions and preparing the next generation of cyber-savvy individuals. Implementing a robust cybersecurity governance program provides a framework for aligning security practices with institutional missions, ensuring accountability, and creating a culture of shared responsibility. Beyond that, the 2025 EDUCAUSE Horizon Action Plan: Supporting Agency, Trust, Transparency, and Involvement highlights the importance of advancing cybersecurity and privacy practices and involving all stakeholders in this essential day-to-day work.
Developing a Cybersecurity Awareness Campaign
A successful cybersecurity awareness campaign requires intentional planning and thoughtful communication with stakeholders across the organization. Here are three ideas, along with some helpful resources, to help you create an awareness calendar using a lightweight risk assessment method.
#1 Understand Threats to Prioritize Campaigns
First, understand your threat landscape and consider the scope of existing and potential cyber threats. Which attack methods and bad actors are most likely to target your institution, and how can you spread awareness to minimize the threat potential?
Collaboration across the higher education community is essential to strengthening cybersecurity. Stay informed about threats affecting other institutions and share the lessons you have learned with your peers to help protect the broader community.
- The EDUCAUSE Cybersecurity Community Group is open to all EDUCAUSE members and provides a forum for exchanging insights, resources, and best practices.
- EDUCAUSE also offers events throughout the year on a variety of cybersecurity and risk management topics. Explore the calendar to find learning opportunities that fit your needs.
Once you understand the threat landscape, assess the potential impact and likelihood of specific cyber threats, and prioritize awareness around those with the greatest risk. Then, create an awareness campaign to target those threats.
- The downloadable resources included in the Hands-on Assessing Risks and Prioritizing Topics for Your Cybersecurity Training and Awareness session provide a structured process for assessing risk and building an awareness calendar.
- To learn more about creating a culture of change around cybersecurity awareness and risk management, read "Beyond Awareness Training: Transforming Human Risk Management into a Strategic Advantage," by Chris Madeksho in EDUCAUSE Review.
#2 Plan Ahead (and Don't Forget the Pizza!)
Second, create a communications plan that incorporates regular messaging to stakeholders. Use this plan to prioritize the most significant threats and schedule other messaging to fill in the gaps. Short, structured, and consistent communication across various channels helps keep cybersecurity awareness top of mind. Remember, though, that institutional stakeholders are busy. Don't overload them with communications, and leave space for just-in-time updates if urgent messaging is needed.
Also remember the power of in-person events and get creative to attract interest in cybersecurity training—whether that involves creating games or providing pizza to lure campus stakeholders.
- John Virden and Jay James share some fun ideas in the EDUCAUSE Shop Talk podcast episode "Cybersecurity as a Core Competency."
- Join the Cybersecurity and Privacy Awareness and Education Community Group to attend online events and learn about institutions creating cybersecurity awareness campaigns.
Pro tip: If you think your cybersecurity training is getting tedious, it probably is. Check out Mike Corn's monthly column "Hotline: Cybersecurity and Privacy" in EDUCAUSE Review for advice and new ideas. The May edition covers training, trust, and procurement.
#3 Stay Updated
Finally, stay flexible and update your cybersecurity awareness plan regularly. Establish an open line of communication with your peers and make sure you're reviewing threats consistently and adjusting your communications calendar to address new ones. The rise of artificial intelligence (AI) is accelerating the pace of change, and keeping higher education safe requires all of us to stay on our toes.
- Check out the EDUCAUSE Shop Talk podcast episode with David Seidl, "AI and Cybersecurity," for more on how AI is testing foundational approaches to cybersecurity.
- Not sure where to start? The EDUCAUSE Cybersecurity and Privacy Guide provides best practices, toolkits, and templates.
- Use the Higher Education Vendor Assessment Toolkit (HECVAT) to streamline procurement and measure vendor risk.
Protecting Higher Education from Cyber Threats Together
Cybersecurity Awareness Month is a starting point. By staying informed, sharing knowledge, and building a culture of awareness, you can help safeguard your own institution and the entire higher education community.
Notes
- Check Point Research,"Cyber Attacks Surge Against Education Sector Ahead of Back-to-School Season,"Check Point Blog, August 28, 2025. Jump back to footnote 1 in the text.
Isaac Galvan is Community Program Director, Cybersecurity and Privacy, at EDUCAUSE.
© 2025 Isaac Galvan. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License