Cybersecurity Awareness Month may be drawing to a close, but threat actors don’t care—their attacks aren’t constrained to a season. We asked a few of our experts for the top aspects of security awareness they would like organizations to keep in mind this awareness month and beyond. From cloud security to new attacker tactics to overall messaging, here are their responses.

Leon Malkowych, Director, Professional Services

Too often, cybersecurity ends up being a negative message. Organizations run phishing simulations to test their users; sometimes, those who fail are “rewarded” with a PowerPoint on what they did wrong or a meeting with HR to tell them how much money their blunder could have cost the organization.

Breaches keep happening, and their root causes usually involve some human error or laxity. So, as we close out Cybersecurity Awareness Month, how do we continue to inspire people to join the fight? With education and a positive message.

Instead of scolding people for mistakes, we should be celebrating when people make smart moves—when they report an email supposedly from the CFO asking them to cut a check or when they tip off the security guard about a suspicious person in the hallway without a badge. The strongest thing we can do to educate and boost awareness is to empower people and celebrate them for doing the right thing.

We also need to speak to people in terms of what’s important to them. We aren’t so much protecting our corporate assets and enterprise devices as we are protecting the money we have all worked hard to earn and keep.

Malware and ransomware are a multibillion-dollar industry that’s funded by poor cybersecurity education. So, let’s engage people with positive messages that address what’s important to them.

Kenith Lewis III, Cloud Security Architect

Cloud is dead.

It may be October, but we’re not selling scares. If you trust your cloud environment is inherently secure, it’s as good as dead. 

It’s true that the cloud can be a great supplement or replacement for a traditional data center. But this Cybersecurity Awareness Month, whether you’re in one cloud service provider or many, it’s important to be aware of who’s responsible for keeping the cloud secure. Sure, Azure is responsible for the fences that keep the walking dead from entering their data centers, but you’re in charge of blocking the ghost in the wire from accessing your data. 

Navigating the new threat landscapes presented by the cloud can be tricky, but there are plenty of resources to help you out. Take a peek at this representation of the shared responsibility model for your cloud environment—while things are not always so cut and dried, it works for most situations. Knowing where your responsibility begins and ends will help you make the best decisions possible for your environment, so you can keep the house from becoming haunted.

Shaun Bertrand, Chief Services Officer

This Cybersecurity Awareness Month, organizations should make sure their users are aware of the current trending attack tactic of MFA fatigue. We’ve seen MFA fatigue being used in various attacks this year, with the breach of Uber being the most recent high-profile example.

An MFA fatigue attack happens when an attacker gains a user’s credentials and repeatedly attempts to log into the account, pushing a barrage of MFA approval requests to the account owner’s mobile device. The attack is successful when the user finally approves the access.

It may seem like a pretty phishy attack but a user on the receiving end of it may pass it off as a bug in the authenticator app. Or if it catches the user at an inopportune time—like at 2:00 a.m.—they may approve the access just to stop the annoyance. Threat actors have also been known to convince victims to hit “approve” by reaching out to the victim via another channel, such as a messaging platform, and posing as IT support.

There are technical ways to mitigate these attacks, and this article has a good roundup of tips. But a huge part of defense when it comes to MFA fatigue is security awareness: Make sure your users know about these attacks so that if they experience one, they know first of all not to approve it, and secondly, they should know how to escalate the issue.