What are the lessons of Cybersecurity Awareness Month?

Has Cybersecurity Awareness Month actually done any good?

As Cybersecurity Awareness Month enters its third decade, it’s worth asking whether it has truly made a difference. In an era when cybercriminals are continually ramping up their attacks, the educated technology user is still the best line of defense.

But knowing and doing are not the same thing. While some metrics point to users being more aware of good cybersecurity practices, others show that some — even among digital natives — just don’t care enough to follow them.

Cybersecurity Tribe featured a quote from an anonymous CISO in late 2023 that summed up the questionable value of awareness campaigns: “We are still making the same stupid mistakes we were 20 years ago.”

But does that assessment still hold true in 2025? In terms of knowledge, users are more aware than before. The Acronis Data Privacy Report 2025 found that two-thirds of consumers (68%) say they use strong, unique passwords, and 46% have adopted two-factor authentication (2FA). That’s a notable improvement compared to 2019, when Pew Research found that only about a quarter of adults in the U.S. could even identify an example of 2FA.

Meanwhile, managed service providers (MSPs) also show progress. According to the Acronis Cyberthreats Report H1 2025, exploits based on remote desktop protocol (RDP) dropped sharply for MSPs from 24% of all attacks to just 3% year over year. Abuse of valid accounts or credentials also decreased, from 15% to 13%.

However, attackers have moved to new vectors. The report revealed that phishing in collaboration apps like Teams jumped from 9% of all attacks to 30.5%. This shift suggests users and organizations have improved email defenses but still underestimate newer attack surfaces.

Nevertheless, there are other encouraging statistics, including one about the “human element” in data breaches. The number of successful attacks that involved user error continues to decline, from being present in 82% of global breaches in 2022 to just 60% in 2025, according to Verizon. User awareness and training are likely helping to reduce risk.

Still, both cybersecurity awareness and cybersecurity behavior have a long way to go.

For example, the Acronis survey on data privacy found that 30% of consumers still find security tools too hard to use, and 35% don’t back up data regularly. Users under 35, despite being digitally savvy, reported more data breaches than those aged 55–64.

Malicious links continue to work for cyberattackers, with the Acronis Cyberthreats Report H1 2025 finding that nearly 10% of users click on URLs that open the door to attacks. The statistic is frustratingly consistent from one month to the next.

Passwords also remain a sticking point. Security.org reports that about one in five users reuse the same few passwords everywhere, and over half of adults use unsecured methods like memorization, browser storage and written records to manage passwords. Those shortcuts undo much of the progress made in awareness.

So, Cybersecurity Awareness Month remains not just a good idea but something of a necessity. The theme for 2025, — Stay Safe Online: The Core 4 — emphasizes four foundational behaviors that every user should follow:

1. Use strong passwords and a password manager.
2. Turn on multifactor authentication (MFA).
3. Recognize and report phishing.
4. Store, access and share personal and organizational data safely.

The Core 4 are straightforward, but the challenge lies in consistent application. Training programs can introduce best practices, but awareness isn’t enough on its own. Organizations need to create a culture of cybersecurity, where security is part of daily conversations and leaders set an example by using MFA, reporting suspicious emails and openly reinforcing the importance of good cyber hygiene.

The threat landscape continues to evolve rapidly. AI is fueling a new generation of phishing, ransomware, and social engineering. According to the Acronis Cyberthreats Report H1 2025 social engineering and business email compromise (BEC) attacks rose to 25.6% of all threats, a sharp increase tied to the use of AI to create convincing impersonations.

At the same time, consumers and employees are showing signs of “security fatigue.” More than a quarter in the Acronis report on data privacy said they had experienced false positives from security apps, which often cause users to lower their guard. That’s why simplicity, automation and accurate solutions matter more than ever. Security must work properly in the background without giving users either a false sense of security or sounding too many false alarms.

Cybersecurity Awareness Month remains a worthwhile initiative and has likely contributed to modest improvements in consumer behavior. But there is still work to do. The Core 4 provides a practical framework for 2025. If organizations and consumers pair those basics with smart technology and a culture that encourages safe behavior, users will be empowered to stay safe online every month of the year.