IT Essentials: 5 ways to make Cybersecurity Awareness Month meaningful

Add intent and action

It’s Cybersecurity Awareness Month, and awareness of what the ransomware economy is funding should be part of any education programme. Here’s what we could do to fight back.

In case you didn’t already know, October is Cybersecurity Awareness Month. The timing of this year’s campaign is so thick with irony, given the recent run of attacks that you really have to wonder if the global cybercrime community isn’t trolling us.

Awareness of cybersecurity is like awareness of the importance of good diet, or an awareness of the destructive and timewasting aspects of social media. We’re all perfectly aware of what we should be doing but, for many reasons, continue not to do it.

To be clear, I’m not criticising the idea that people (and institutions) should be encouraged to take cybersecurity more seriously. What I’m criticising is the lack of intent and action by companies, the public sector and, to some extent, individuals.

Computing research found that whilst IT budgets are continuing to rise, only 9% of overall spending goes to cybersecurity. That doesn’t seem like a great deal, although other surveys suggest higher proportions. In fairness it doesn’t just come down to spending money on the latest cybersecurity tool. Far more important is education, evaluating processes and looking at organisations holistically to assess resiliency.

Cybersecurity Awareness Month is partly about conveying these messages. But what those behind the campaign could also do is focus on awareness of the ransomware economy itself. To give some credit to recent victims they refused to pay up. But the fact is, most companies do. You can even argue that the insurance model encourages it.

But there are things we can do to disrupt the ransomware economy.

The government needs to stick rocket boosters under legislative proposals to ban ransomware payments from public sector and critical infrastructure providers. There also needs to mandatory disclosure of attacks, regardless of whether data is compromised.

Any company or institution who makes a payment to criminals should be legally obliged to enter that payment onto a publicly available register. Unless the ransomware economy is forced into the light, it will continue to thrive.

At the moment, the measure of seriousness of an attack seems to hinge on the degree to which personal data is compromised. JLR has been a case study in the limitations of that approach. Business resiliency is vital for the sake of jobs and the wider economy, and policy needs to reflect this. The rules for critical infrastructure should apply to every business.

Private enterprise should reconsider the merits of outsourcing security. There will be a cost saving in the short-term of doing so, and we’re all aware of the difficulty in recruiting and retaining people with cybersecurity skills. But what companies do when they outsource security is outsource their resilience, their ability to do business. It’s existential. Perhaps budgets and pay rates for cybersecurity professionals should reflect that.

Educators, policy makers and (deep breath) parents need to take more responsibility for what kids are doing online. Children and young adults are being lured into criminality and nihilism by the prospect of easy (and big) money and unconventional talent is being groomed and manipulated via platforms like Discord. The cybersecurity industry needs this talent and there are ethical pathways available. We have a collective responsibility to show the way.

The ransomware economy funds some terrible things. Terrorism, drugs, child sexual abuse, human trafficking. No decent person would knowingly fund this activity but every time a company pays a ransom that’s what they’re doing. I’d welcome greater awareness of that.

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.