National Cybersecurity Awareness Month comes around every October, but you shouldn’t rely on one month being enough to drive home the importance of cybersecurity to your employees. You should promote security awareness and cybersecurity best practices year-round. In order to help you kick off or continue your awareness program, we’ve put together a variety of cybersecurity memo templates for employees. These memos cover topics like phishing and whaling, password practices, file and folder permissions, as well as templates for different experience levels.
For more advanced security training, check out these free security courses and complete them to earn CPE credits.
Get the Free Pentesting Active
Directory Environments e-book
- Cybersecurity Awareness “Movie” Poster Flyers
- Cybersecurity Memo Email Templates
- Creative Security Awareness Ideas and Activities
Shareable Cybersecurity Awareness Flyers
Your peers are likely bogged down by an inbox full of unread emails. To make sure they don’t miss valuable information, try hanging up an eye-catching flyer. The flyers below combine pop culture references and cybersecurity awareness to their grab attention and spread awareness in a fun way. Try embedding the flyers in your email blasts as an eco-friendly option.
1. Phishing Flyer
When referring to cybersecurity stats from years past, “spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks in 2017” (Symantec). Catch your peers’ and employees’ attention and raise phishing and whaling awareness with this phishing flyer.
2. Password Security Flyer
In our galaxy and galaxies far, far away, there are hackers who crack weak passwords. Bring attention to password and account security with this “Cyber Wars” flyer. The flyer promotes the use of multi-factor authentication and password managers as solutions.
3. Invoice Scams Flyer (Ghostbusters)
If you receive an unusual invoice or request for sensitive data, it’s important to check with the billing department or other relevant managers for approval. The fraudulent invoice flyer below uses a “Ghostbusters” theme to raise awareness and help bust fraud and scammers in their tracks.
Essential Cybersecurity Awareness Templates
It’s very important to create a company culture that values and rewards good cybersecurity practices. There are various ways to set this precedent, including comprehensive onboarding training, engaging remote workers, sending reminders and making sure that management sets a good example. We recommend tweaking the templates below depending on your company’s needs and the products or services you offer.
Cybersecurity Awareness Memos for New Employees
As a best practice, cybersecurity awareness and company policies on the matter should be integrated into onboarding training. Make sure your new hires start off on the right foot with the template below.
- Data privacy policies and data ethics
- Compliance laws (HIPAA, GDPR, CCPA)
- Insider threats and data breaches
We’re very excited to welcome you onto the team! I’m sure you have a lot of documents to review for training and onboarding but I wanted to bring our cybersecurity policies to your attention.
As a company, we place huge value in our integrity and security — see our policy attached here and some important topics below. Please let me know if you have any questions about our security practices!
- Security policy [LINK or ATTACH]
Important topics covered in our policy:
- [INDUSTRY] privacy and security compliance
- Handling sensitive and personal data
- Password and account security
- [ADD ADDITIONAL PRIORITIES]
Once you’re finished reading through the attachment, please send back confirmation that you’ve read through the policies and understand them.
Thank you in advance,
Cybersecurity Awareness Memos for Remote Employees
Make sure your remote workers feel included — loop them in on any policy changes or refreshers that you send to your team. It’s very important to keep in mind that remote workers also have additional security challenges compared to their on-site counterparts. This template is an example of what to cover to ensure they’re following safe internet and security protocols.
- Dangers of public Wi-Fi
- Bring Your Own Device (BYOD) risks
- Locking devices physically and with passwords
Hope all is well in [CITY]. We wanted to send over a recent update to our security practices.
Public and free Wi-Fi networks leave you exposed to being hacked and puts [COMPANY] at risk for data breaches and exfiltration.
Working on public or free networks is strictly prohibited. [NAME] has set up a tethering plan so that you may use your work phone for internet data. Attached are instructions to set up your device, including how to set up the required login and password protection function.
Please let me know if you have any questions, I’m happy to jump on a call or video chat should you run into issues.
This policy goes into effect on [DATE], please aim to have your device set up by [DATE] to avoid any overlap.
Cybersecurity Awareness Memos for All Staff
As mentioned above, security awareness and education should be a year-round priority and goal. Use the templates below to send refreshers and cybersecurity news about the latest scams to keep your company safe.
Since [REASON], we wanted to bring [TOPIC] to your attention.
[TOPIC] is [DEFINITION]. It’s imperative to [ACTION] in order to help maintain [COMPANY]’s data security and integrity.
[ADDED DETAIL + BULLET POINTS AS NEEDED]
Thank you for your continued cooperation as we strive to keep our customers’ and employees’ data safe and secure.
Phishing awareness email template:
In light of the increasing number of phishing attempts that have been going around, we wanted to send over some tips to help keep your account secure.
“Phishing” scams are a very popular tactic hackers use to trick users into thinking they received an email or text (SMiShing = SMS phishing) from a reputable company. They will use logos, fake but realistic-looking email addresses and contacts, and other tactics to trick you into clicking a malicious link that could compromise your security.
- “Spear-phishing” is a subset of phishing that is more personalized — the hacker will pose as someone you know to gain your trust.
- “Whaling” refers to a type of phishing that targets individuals who have high-level access to data, funds and information (i.e. business owners, CFOs, etc.).
Do not click links from emails that you weren’t expecting, raise any sort of suspicion or from contacts not already in your contact list. Hover over the link to see the URL and even if it still looks normal, type the domain into your browser using https.
Tips to spot a scam:
- Misspelled words
- Strange or big requests
- Website is “off” and bare-boned:
- Website is “unsecure”
- Missing footer and navigation
- Misspelled words
- No contact information
How to avoid these attacks:
- Above all else: Don’t click the link
- Be skeptical and ask a follow-up question for clarification
- Be careful about the info you share on social media, oversharing can be used to target you
- Keep software up to date
- Make sure any passwords are up to our company standards (16 alphanumeric characters long) and are stored only in our verified password manager
Thank you for taking the time to read through this and help keep your peers, our data and customers safe and secure.
Cybersecurity Awareness Memos for Management
It’s crucial to set a good example at the top. Employees will look to management for guidance and it’s important that all members of management are well-versed in cybersecurity issues and risks. They usually have higher access levels and pose a bigger risk if their account is compromised. Use the template below to keep management up to speed.
In an effort to improve our security and ensure we are meeting [LEGISLATION NAME] compliance, we are asking that you prioritize [TOPIC].
[TOPIC] can be implemented and prioritized by following the [tips/steps] below:
We look to you to help set a good example for those you manage and if security is one of your priorities, those who report to you will pick up those good habits as well.
Thank you in advance for helping keep our employees’ and users’ data secure, it’s greatly appreciated.
Lighthearted Cybersecurity Awareness Follow-up Email Template
Sometimes lengthy or serious emails are unnecessary. Send these short follow-ups as replies to your initial detailed emails that have more information outlined — this makes it easier for individuals to look back at the details. For a quick refresher that’s easy to read, modify the template below.
Engaging or lighthearted subject lines:
- There are Plenty of “Phish” in the Sea: Don’t Get Caught Up in the Scam
- Reminder: How to Create and Store Passwords Like a Pro
- Scam Awareness Tip: Invoice Fraud is the New Nigerian Prince
We just wanted to drop into your inbox to send you a quick reminder about password security [AND/OR ANOTHER TOPIC].
Remember passwords need to be:
- At least 16 characters
- Stored in our approved password manager, [LINK TO PASSWORD MANAGER]
- [ANY ADDITIONAL TIPS]
Thanks in advance for your cooperation, stay secure my friends.
8 Creative Cybersecurity Awareness Month Ideas
Looking for other ideas to raise cybersecurity awareness among your employees and peers during Cybersecurity Awareness Month and year-round? Give some of these activities a shot. They range from more serious to light-hearted, so gauge your work environment and audience to choose those that are most suitable. For the best participation and engagement, try incentivizing your activities (an extra day off, a donation to the charity of their choice, bonuses, gift cards, etc.).
- Baseline Survey: Have employees answer a couple of survey questions regarding cybersecurity and best practices to gauge the level of understanding across departments and individuals. This will help you tailor all other activities to make sure they’re efficient and covering topical info for your team.
- Phishing Test Email: Send everyone a convincing phishing email for a real-life test of your team’s phishing knowledge. Use a spoof company email address and use company logos and colors to mock internal emails. Ask your employees for sensitive data or access to give them the chance to report the malicious attack attempt. Use the opportunity to educate those who fall for it in order to help them be prepared for a real scam.
- Personalized Attack Simulation: Take the mock phishing email idea above one step further by tailoring different scams and attacks by position or department. The more realistic the simulation is, the more employees will gain from it.
- Team Quiz or Jeopardy Session: Turn lunchtime or a work happy hour into a fun and informative activity for your team. Ask various questions about cybersecurity best practices and knowledge. Incentivize the game by giving the winners bragging rights and the opportunity to donate a predetermined amount of money to a charity of their choice.
- Pentesting Competition (for the Tech-Savvy): To engage IT personnel and other members of your security team, try hosting a penetration testing competition with compensation for finding the biggest vulnerability. They will have the chance to uncover planted (and authentic) vulnerabilities and bugs in the network or systems. Make sure to use a test environment so as to not disrupt daily flow and site traffic.
- Milestones and Goals: Introduce a list of pre-approved activities, quizzes, online tests and certifications that employees can complete at their own pace during a given period of time. Employees can rack up points for completing tasks and then at the end of the given period of time, the points will be tallied for the chance to win prizes (a day off, gift card, charity donation, etc.).
- Reinforce Through Visuals and Video: Use different media to engage employees and drive home the importance of the topics you cover. If you have the bandwidth, create a custom video featuring your priority topics. Or simply send out one of the free cybersecurity awareness flyers above.
- Bring in an Expert: There are companies and individuals who specialize in creating an engaging training and awareness session. You can always leave it up to the pros to create a customized activity, presentation or lunch & learn session.
Remember that in order to run a successful internal security campaign, it needs to be topical and engaging. If members of your team want a more in-depth look at cybersecurity, you could direct them to one of our live cybersecurity attack demos or list of 52 cybersecurity tips for the workplace. We hope the materials above help you create a culture of good cybersecurity practices and reduce insider threats.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.