Internet Safety Month: 4 Ways to Reduce Human Risk

As a Security Awareness Program Owner, you know the drill. You try to keep up with all the major “security-themed” holidays, but some dates just sneak up. This June, National Internet Safety Month isn't just another date on the calendar—it's a critical checkpoint. The conversation around internet safety has fundamentally changed thanks to generative AI, and traditional training wasn't designed for this new reality. If you're scrambling to adapt your program, you're in the right place. Let's get your strategy updated for the real threats we face today.

In fact, National Internet Safety Month is sneaking up real fast. It’s this June already! 

Whether you’re just starting your research or are hunting down a few ideas for educating your team on this year’s campaign, the time is now.

Here’s what this important month is all about and how you can leverage it for your security awareness program:

What Is National Internet Safety Month?

National Internet Safety Month is an annual initiative specifically dedicated to educating people on internet safety. 

For a full 30 days each June, federal and state governments, industry, and nonprofit organizations unite to promote safe online behavior and practices. The keyword here is “unite.” This month is about recognizing that internet safety is a shared responsibility— knowing we all must join together to make the internet a safer place for everyone, both at work and at home.

The Origins of Internet Safety Month

National Internet Safety Month began back in 2005 with a clear goal: to raise awareness about the importance of staying safe online. The initiative was a direct response to the fact that as more of our lives moved to the internet, the associated dangers grew significantly. From the start, the month of June has been dedicated to educating people on safe online practices, with a special focus on protecting vulnerable populations from serious online crimes like sextortion. This history highlights why internet safety can't be a one-time training event; it requires continuous education to address evolving threats and reinforce that creating a secure online environment is a responsibility we all share.

Breaking Down the STOP.THINK.CONNECT.™ Campaign

STOP.THINK.CONNECT.™ is a national public awareness campaign frontiered by The Department of Homeland Security in coordination with The National Cyber Security Alliance.

Its goal is to empower Americans to be safer and more secure online by increasing their understanding of cyber threats. The campaign aims to provide simple, easy-to-understand resources and strategies to help us stay safe on the web. 

It simplifies best practices for pursuing the internet into just three steps:

1. STOP and make sure security measures are in place
2. THINK about the consequences of your actions and behaviors online 
3. CONNECT and enjoy your devices with more peace of mind

But while this seems pretty straightforward, your team needs more than just the standard “think before browsing the web” advice. They need tangible safety tips and specific information on what threats they may face and how to react. That’s where you come in!

Understanding Core Online Risks: The 4 C's Framework

To make internet safety tangible for your organization, it helps to have a simple framework. The "4 C's" model breaks down the vast landscape of online threats into four distinct, easy-to-understand categories: Content, Contact, Conduct, and Commerce. This structure allows security leaders to move beyond generic advice and create targeted awareness campaigns that address the specific risks your employees face daily. Using this framework helps make the abstract concept of cyber risk relatable to an employee's digital interactions, whether they are on the corporate network or working from home. By categorizing risks, you can better measure, manage, and ultimately reduce the human element of your security posture, creating a more resilient defense against modern threats.

Content: Identifying Harmful Material

The first category, Content, refers to the harmful material employees may encounter online. In a corporate context, this goes far beyond simply blocking inappropriate websites. The real danger lies in sophisticated disinformation campaigns targeting your industry, misinformation that can influence employee decisions, or even extremist content that could signal a potential insider threat. The line between personal and professional online activity is increasingly blurred, and the content an employee consumes on social media or personal web browsing can have direct consequences for your organization’s security, reputation, and overall stability. Equipping your team with critical thinking skills to evaluate the information they see is a crucial first step.

Disinformation, Hate Speech, and Radicalizing Content

Disinformation can be used to manipulate market perceptions, damage your brand, or erode employee morale. Hate speech can create a toxic work environment, posing significant legal and reputational risks. While more extreme, radicalizing content is a serious concern that can be an early indicator of an insider threat. Teaching employees to recognize these specific content types is essential to mitigating their potential impact on your organization.

Contact: Managing Unsolicited Interactions

The second C, Contact, covers the risks associated with unsolicited online interactions. For enterprise security, this is the domain of social engineering. Attackers frequently use professional platforms like LinkedIn, corporate email, and even third-party messaging apps to initiate contact. A seemingly innocent message from a "recruiter," a request from a "vendor," or an urgent plea from a "senior executive" could be the opening move in a targeted spear-phishing or business email compromise (BEC) attack. It is vital to train employees to maintain a healthy skepticism of any unsolicited contact and teach them to independently verify identities and requests through separate, trusted communication channels.

Conduct: How Behavior Creates Risk

An employee's online Conduct is a direct reflection of your organization's security posture. This category encompasses a wide range of behaviors, from oversharing sensitive company information on social media to using weak, reused passwords across multiple corporate systems. Human Risk Management (HRM), as defined by Living Security, focuses on understanding these behaviors not as isolated mistakes, but as measurable risk indicators. By correlating data across employee behavior, identity systems, and real-time threats, you can move from simply reacting to incidents to proactively guiding your team toward safer online habits, effectively reducing your overall risk exposure before an incident occurs.

Commerce: Navigating Online Financial Risks

For any business, the risks tied to online Commerce are substantial and immediate. This extends far beyond an employee using a corporate card on an insecure e-commerce site. The more significant threats include sophisticated invoice and payment fraud, where attackers impersonate a trusted vendor to redirect large sums of money, and procurement scams that target employees with purchasing authority. Every online transaction represents a potential vulnerability. It is essential to establish and enforce clear policies for online purchasing, along with continuous training on how to scrutinize and verify payment requests to prevent devastating financial losses.

Key Cybersecurity Practices to Emphasize

While the 4 C's framework helps your team understand the risks, the next step is to reinforce the core practices that mitigate them. These foundational habits are the building blocks of a strong security culture. For security leaders, the challenge is not just communicating these best practices but ensuring they are consistently adopted across the organization. This is where a data-driven approach becomes a game-changer. Instead of sending a blanket email reminding everyone to use strong passwords, you can identify which individuals or departments are struggling and provide targeted interventions. These non-negotiable security hygiene practices should be a central part of your communication strategy, not just during National Internet Safety Month, but all year round.

Use Strong Passwords and a Password Manager

A strong, unique password is the first line of defense for every corporate account. It’s crucial to educate employees on the pitfalls of using personal information or common words and to stress the importance of using a different password for every single application. A password manager is an essential tool that removes the burden of creating and remembering dozens of complex credentials. By encouraging widespread adoption, you make it easier for employees to follow best practices without resorting to risky shortcuts, like writing passwords on sticky notes. This significantly reduces the organizational risk from credential stuffing attacks, where attackers use a single breached password to compromise multiple systems.

Turn On Multi-Factor Authentication (MFA)

Multi-factor authentication is no longer a "nice-to-have"; it is an essential security control. A password can be guessed, phished, or stolen, but a second factor—like a one-time code from an authenticator app or a biometric scan—is much more difficult for an attacker to compromise. Emphasize to your team that enabling MFA wherever it is available is one of the single most effective actions they can take to protect their accounts and the company's data. It serves as a critical barrier that can stop an attacker in their tracks, even if they have managed to obtain a valid username and password.

Keep Software and Devices Updated

Software updates are not optional interruptions; they are critical security functions. Attackers actively develop exploits for known vulnerabilities in outdated software, and delaying updates leaves a wide-open door for malware, ransomware, and data breaches. While your IT and security teams likely manage updates for corporate-owned devices, employees share this responsibility, especially when it comes to personal devices used for work (BYOD) and third-party applications. Fostering a culture where employees understand the urgency of these updates and apply them promptly is a crucial component of a defense-in-depth security strategy.

Recognize and Report Phishing

Your employees are a critical part of your defense against phishing attacks. Training should go beyond basic recognition and focus on building the skills to spot the subtle red flags of modern, sophisticated phishing attempts. However, recognition is only half the battle. It is absolutely vital to cultivate a culture where employees feel empowered to report every suspected phishing message, even if they didn't click. Each report is a piece of valuable, real-time threat intelligence that allows your security team to block malicious domains, hunt for other instances, and protect the rest of the organization. A robust phishing awareness program uses realistic simulations to give employees safe, hands-on practice and reinforces the critical habit of reporting.

4 Ways to Promote Internet Safety Month at Work

Program owners have an important responsibility this month to talk about pertinent topics regarding internet safety, relayed in a language your teams can actually understand.

Here’s how you can equip every department with the support they need this June:

1. Engage with the Campaign on Social Media

On stopthinkconnect.org, you can find handy resources for helping your employees own their online presence, including tip sheets, videos, posters and even memes to download and share. Check out all these incredible resources. 

STOP.THINK.CONNECT.™ also has a list of national studies with empowering statistics on internet safety to share with the C-suite, management and all teams alike.

2. Use Ready-Made Tips from the NCSA

The National Cyber Security Alliance rolled out a number of tips for protecting yourself online this Internet Safety Month. From mobile protection to caution while socializing online, we urge you to give their advice a read. 

3. Connect Personal Safety to Professional Security

Remember that employees have their own job responsibilities and maintaining your company’s security isn’t always a top priority nor top of mind. Instead of talking about security in terms of your business specifically, pique their interest by relating cyber security to things they actually care about.

For example, parents want to know how to secure and monitor their children’s accounts online. Suggesting kids use avatars for profile pictures on gaming sites instead of real photos may lay the perfect foundation for explaining what social engineers look for when digging for open-source intelligence. Or, share how someone’s credit card info might get stolen while traveling on vacation to inspire them to better protect private data, in general. 

Often, the same principles that apply to their personal safety can be used to increase your corporate safety and become habits.

Fostering Digital Citizenship

Digital citizenship is about more than just knowing the rules of the internet; it’s about understanding the responsibilities that come with our online actions. It means having the skills to navigate the digital world safely and ethically. For your organization, fostering good digital citizenship among employees is a foundational element of a strong security culture. When team members practice responsible online behavior in their personal lives, like protecting their privacy and communicating respectfully, those habits naturally extend into the workplace. This proactive mindset is central to Human Risk Management (HRM), which focuses on guiding individuals toward safer behaviors before a threat materializes. By encouraging employees to be good digital citizens, you’re not just checking a compliance box; you’re building a workforce that actively contributes to the organization's security posture.

Protecting Families and Children Online

One of the most powerful ways to connect with your employees on security is by addressing a topic they already care deeply about: protecting their families. The internet presents real dangers for children, including serious crimes like online extortion. When you provide resources and guidance on how parents and guardians can keep their kids safe, you demonstrate a genuine investment in their well-being. This conversation creates a perfect bridge to corporate security. The same principles used to protect a child from an online predator, like being cautious with personal information and recognizing suspicious requests, are identical to the ones needed to defend against a phishing attack. Framing security in this personal, protective context makes it relatable and transforms abstract corporate policies into tangible, meaningful actions that protect what matters most.

4. Download Free Campaign Assets

While cybersecurity holidays like National Internet Safety Month are undoubtedly important to recognize, it can be hard to push this type of awareness content when you’re juggling multiple other campaigns.

That’s why sometimes it’s wise to invest in pre-packaged awareness resources from a trusted partner, one who is dedicated to ensuring you don’t miss important annual initiatives like this. You’ll also get access to all the materials you need to share with your departments, ready-to-go!

Program owner resources like Campaign-in-a-Box outline monthly themed “mini” campaigns, with focused pre-written content around crucial national campaigns like Internet Safety Month.

Simplify Your Efforts with Campaign-in-a-Box

Use our pre-written, supportive content to educate your teams on important cyber security initiatives without all the research and work. Request more information about our unique Campaign-in-a-Box offering, today.

The Future of Internet Safety: Securing Humans and AI Agents

The principles of internet safety are evolving. While foundational practices like using strong passwords and spotting phishing attempts remain crucial, the landscape is becoming far more complex. The rapid adoption of artificial intelligence has introduced a new dimension of risk, supercharging the scale and sophistication of threats. Research shows that nearly 80% of employees are now concerned about how AI can be used in cyber attacks, and for good reason. This new reality demands a forward-thinking approach that goes beyond traditional security awareness.

The future of internet safety involves securing a distributed workforce of both humans and AI agents. As organizations integrate AI into their workflows, these non-human actors become part of the attack surface, interacting with sensitive systems and data. A comprehensive security strategy must now account for the risks introduced by both human behavior and AI-driven activity. This is the core challenge that Human Risk Management (HRM) is built to solve, shifting the focus from reactive detection to proactive prevention by understanding the intricate connections between people, technology, and threats.

Addressing Emerging AI-Driven Risks

Artificial intelligence significantly amplifies existing online risks. AI models can generate hyper-realistic phishing emails, create convincing disinformation, and mimic legitimate communications with alarming accuracy, making it harder than ever for employees to distinguish friend from foe. These AI-enhanced threats are not just theoretical; they are actively contributing to a more dangerous digital environment. Organizations must recognize that while AI can be a powerful tool for defense, it also introduces new vulnerabilities that threat actors are eager to exploit.

This new wave of threats requires a more sophisticated defense. The challenge is no longer just about preventing a person from clicking a bad link. It’s about building an organizational culture of security that is prepared for AI-driven social engineering, deepfakes, and automated attacks. Effectively managing these emerging threats means equipping your people with the awareness and tools needed to navigate a world where deception is increasingly automated and personalized.

How Human Risk Management (HRM) Adapts

Human Risk Management (HRM), as defined by Living Security, adapts to this new reality by moving beyond simple awareness training. An effective HRM program provides a data-driven foundation to make human and AI agent risk visible, measurable, and actionable. Instead of relying on a narrow set of behavioral signals, the Living Security Platform analyzes hundreds of risk indicators across employee behavior, identity and access systems, and real-time threat intelligence. This provides a comprehensive, predictive view of where risk is most likely to emerge before it leads to an incident.

At the center of this approach is Livvy, an AI guide that helps security teams understand evolving risk trajectories and identify the individuals or agents that require intervention. The platform can then autonomously orchestrate responses, such as delivering targeted micro-training or reinforcing policies, all while maintaining human-in-the-loop oversight. By integrating AI into the defense strategy, organizations can effectively manage the risks posed by this new technological frontier and build a more resilient security posture.

Frequently Asked Questions

How can I make our Internet Safety Month activities feel relevant and not just another corporate training exercise? The key is to connect corporate security principles to the personal safety topics your employees already care about. For instance, start a conversation about protecting their children online or securing their personal finances while traveling. When you provide actionable advice that helps them protect their families, the same habits, like scrutinizing suspicious requests and using strong passwords, naturally carry over into their work. This approach transforms security from a set of abstract rules into a valuable life skill.

My team understands basic phishing. How has AI changed the game for social engineering? Artificial intelligence has dramatically lowered the barrier for creating sophisticated attacks. AI can generate hyper-realistic phishing emails, text messages, and even voice clones that are free of the usual red flags like typos or awkward phrasing. These attacks can be personalized at scale, making them far more convincing. This means employees must move beyond just looking for obvious errors and develop a stronger habit of verifying requests through separate, trusted channels, especially when they involve sensitive data or financial transactions.

The "4 C's" framework is a good starting point, but how do I know which risks are most critical for my organization? A framework gives you a map, but data tells you where to focus your attention. A modern approach requires looking beyond a single risk category. Human Risk Management (HRM), as defined by Living Security, helps you prioritize by correlating data across three key pillars: employee behavior, identity and access systems, and real-time threat intelligence. This gives you a clear, evidence-based picture of your organization's specific risk landscape, showing you which individuals, roles, or departments require the most immediate attention.

We already have a security awareness program. How does Human Risk Management (HRM) go beyond traditional training? Traditional security awareness focuses on broad education, hoping the lessons stick. Human Risk Management (HRM) is a proactive, data-driven strategy focused on changing behavior to prevent incidents. Instead of relying on annual training, an HRM platform continuously analyzes risk signals to identify who is most likely to cause an incident. It then delivers targeted, timely interventions, like a micro-training module or a policy nudge, to guide that person toward safer habits before a mistake happens.

How can I measure the success of our internet safety initiatives and show their value to leadership? Success should be measured by a tangible reduction in risk, not just by training completion rates. An effective HRM program provides clear metrics that demonstrate progress. You can track the reduction in risky behaviors, such as phishing clicks or password reuse, across specific populations over time. By presenting data that shows a measurable decrease in your organization's human risk exposure, you can clearly communicate the value and direct impact of your security efforts to leadership.

Key Takeaways

• Make online risks relatable with a framework: Use the 4 C's model (Content, Contact, Conduct, Commerce) to break down complex internet safety threats into clear, understandable categories that resonate with your team's daily experiences.
• Link corporate security to personal well-being: Drive engagement and adoption by showing employees how security best practices protect not just the company, but also their own families and personal data, transforming abstract rules into valuable life skills.
• Move from reaction to prediction for AI risks: Acknowledge that AI has changed the threat landscape; a modern Human Risk Management (HRM) strategy is necessary to analyze risk signals across behavior, identity, and threats, enabling you to prevent incidents in an era of sophisticated attacks.

Related Articles

• June is National Internet Safety Month & Here’s How You Can Prepare
• The History of Cybersecurity Awareness Month
• The Ultimate Corporate Cybersecurity Month Kit Guide
• Internet Safety for Kids: A Parent’s Cheat Sheet
• Cybersecurity Awareness Month: AI-Driven, Risk-Based Training | Living Security