This year, the European campaign places the focus on phishing.

Below is a ready-to-use plan to engage employees, measure impact and deliver results that last beyond October.

Why talk about this now?

• Official EU campaign. Every year, in October, the European Cybersecurity Month (ECSM) takes place, coordinated by ENISA and the European Commission, with awareness actions across the EU. ECSM
• 2025 focus: phishing. The 2025 edition begins with an explicit emphasis on tackling phishing, providing practical guidance and materials for citizens and organisations. Digital Strategy EU
• Threats are rising. The ENISA Threat Landscape 2025 analysed 4,875 incidents (Jul/2024–Jun/2025) and describes an environment of continuous and converging campaigns that erode resilience. ENISA
• The number 1 vector remains human. Phishing remains the primary intrusion method identified in the EU, with increasingly convincing campaigns, many supported by AI. Infosecurity Magazine
• In Portugal, the CNCS centralises resources, news and awareness initiatives that are useful for organisations and citizens. cncs.gov.pt

The objective for organisations

Move from “campaigns” to “capabilities”: use October to create habits (and evidence) that reduce risk throughout the year. Think in terms of message + practice + metric:

• The right message (short, clear, repeated)
• Guided practice (simulations, exercises, checklists)
• Objective metrics (proof of effectiveness and continuous improvement)

31-day programme: 4 weeks, 4 themes, simple metrics

Week 1 — Phishing and Social Engineering (official 2025 focus)

What should be done?
– 10-minute micro-lesson: how to identify phishing (sender, URL, urgent tone, attachments).
– Launch a phishing simulation (two difficulty levels).
– Deploy a “report button” in email (if it does not already exist).
– Digital poster “Stop, Check, Forward”: Stop → pause; Check → verify sender and URL; Forward → report it.

Metrics: Open rate and report rate of the simulation; average time to first report; click rate by level.

Useful official resources
ECSM/ENISA materials and content; this year, the explicit focus on phishing makes communication and exercises easier. Digital Strategy EU

Week 2 — Passwords, MFA and Identities

What should be done?
– Password manager “clinic” (how to create and store strong passwords).
– MFA campaign: mandatory activation for email, VPN and critical apps.
– Review of privileged access (JIT/JEA) and revocation of inactive accounts.

Metrics: % of accounts with MFA enabled; number of privileged accesses reduced; revocation time after internal departure.

Week 3 — Devices, Data and Cloud (hygiene and privacy)

What should be done?
– Rapid hardening: automatic updates, active EDR, disk encryption.
– Backups and restores: perform (and validate) at least one restore test against the approved RPO/RTO.
– Data mapping: where sensitive data resides (including SaaS), who has access to it and why.

Metrics: EDR coverage, restore success, % of critical data with encryption and an assigned owner.

Week 4 — Third Parties, Continuity and Incident Reporting

What should be done?
– 90-minute cyber crisis table-top: scenario of successful phishing + loss of a critical SaaS service.
– Review critical supplier contracts: RTO/RPO, incident notification, right to audit and exit plan.
– Reporting playbooks (including applicable regulatory reporting requirements): who reports to whom, within what deadlines, using which templates.

Metrics: Time to executive decision; fulfilment of RTO/RPO in testing; % of critical third parties with updated evidence.

Ready-to-send content (copy/paste)

Kick-off message (email/Teams/Slack)

October is Cybersecurity Month. This year, we will focus on detecting and reporting phishing.
Throughout the month, you will receive micro-lessons, simulations and simple tips.
If you are suspicious, report it — even if it turns out to be a false alarm.
Security starts with you. Digital Strategy EU

Quick notice for simulations

This week, you will receive simulation emails. The objective is to learn.
If something looks strange: stop, check, pass it on (report it).

Digital poster for lifts and backgrounds

“3 seconds before clicking” — Sender • URL • Request
“Talk to us” — Reporting button in Outlook/Gmail; #security channel

What to measure (and how to show it to the Board)

• Phishing: report rate ↑, clicks ↓ (adjusted to difficulty), time to first report.
• Identities: % MFA enabled; revocation time; number of privileges reduced.
• Resilience: successful restore; RTO/RPO achieved in the table-top.
• Third parties: % of critical suppliers with valid evidence (reports/audits).

Bonus: turn metrics into simple charts and compare the baseline (September) against October (end of month).

Common mistakes (and the antidote)

• Punitive campaigns that shame people who make mistakes → educate, do not punish: reinforce good reporting, even when it is a false alarm.
• Long, technical messages → micro-content in plain English, with real examples.
• Lack of evidence → keep evidence: minutes, simulation reports, dashboard screenshots, MFA lists.

Events and resources you can use right away

• Official ECSM portal with explanation, materials and activities. ECSM
• ECSM 2025: focus on phishing — communications and good practice guides. Digital Strategy EU
• ETL 2025 press release (data and trends to enrich internal presentations). ENISA
• ENISA Threat Landscape 2025 (report) — a basis for executive briefings and for justifying investments. ENISA
• European agenda: example — European Cybersecurity Challenge 2025 (6–10 Oct., Warsaw), useful for content and awareness in technical teams. ENISA

Frequently asked questions (for the Helpdesk/Security team)

• “I received a suspicious email. Should I delete it?” → First report it using the button; the SOC/IT team will analyse it.
• “I clicked by mistake. What now?” → Report it immediately; change your password; run EDR; sign out from all devices.
• “How do I know whether a link is safe?” → Hover over the link; check the domain and HTTPS; if it uses a shortener (e.g. , do not click — report it.
• “Can I use a USB stick?” → Only authorised devices. If it is external, check with IT first.

Author: Behaviour
Published on: 6 October 2025
Copying or reproduction of this article is not authorised, except for the suggestions included in the Ready-to-send content (copy/paste) section.