A year-long security awareness calendar following the NIST Cybersecurity Framework. Monthly themes, cautionary tales, and actionable checklists to strengthen your organization's security posture.
ALIGNED WITH NIST SP 800-50 · SP 800-53 · CSF · UPDATED FOR 2026
The 2026 NIST Security Awareness Calendar
Your entire year of security training, planned. 12 months. 12 real-world attack stories. Actionable tips your team will actually remember.
Used by 5,000+ companies and 100+ MSP partners
SHARE:
January
NIST PR.AC-1, IA-2
“The Keys to the Kingdom”
Access Control
War Story
MGM Resorts 2023
In September 2023, the MGM Resorts empire was paralyzed: slot machines went dark, hotel keys failed, and systems were encrypted. The hackers didn’t crack a code; they used LinkedIn to find an employee’s details. They called the IT Help Desk, impersonated the employee, and convinced a technician to reset the employee’s MFA to a device the hackers controlled.
Access control acts as the digital security guard of the company, ensuring only authorized individuals have the 'keys' to specific resources. Security is only as strong as these keys—our passwords and Multi-Factor Authentication (MFA) tokens.
February
NIST PR.AT-2
“Recognizing & Defeating Email Threats”
Phishing Awareness
War Story
The 'Browser Update' Trap
An insurance company recently suffered a major breach that didn’t start with a shady email. Instead, an employee visited a legitimate, well-known website that had been silently compromised by hackers.
Beyond the Link: Hovering over a link to check the URL is still good practice, but it isn’t foolproof. Attackers now use “URL shorteners” or “open redirects” to hide their true destination.
In a famous “Piggyback” breach, a penetration tester (a professional hired to test security) managed to enter a high-security data center without a badge or a key.
Tailgating Checklist: Keep Unauthorized People Out
Guide
Even the strongest digital firewall cannot protect data if an unauthorized person can physically walk into our office and access a workstation or server.
April
NIST PR.AC-3
“Taking Security anywhere we go”
Mobile & Remote Work
War Story
The 'Evil Twin' Wi-Fi
An executive waiting for a flight connected to what they thought was the airport’s official Wi-Fi, labeled “Airport_Free_HighSpeed.” In reality, it was an “Evil Twin”—a hotspot set up by a hacker sitting nearby with a small device.
Use a VPN: Always turn on the company VPN before accessing work email or files on public Wi-Fi. It creates an encrypted “tunnel” that keeps hackers out.
As we work from home, coffee shops, and airports, our 'office' perimeter disappears. Security must travel with you.
May
NIST ID.AM-5
“Building Secure Network Architecture”
Data Classification
War Story
The NYU Admissions Leak
A significant data exposure occurred at NYU when a database containing thousands of student records was accidentally set to “Public” on a cloud storage platform. The database was intended for internal use only, but because the creator didn’t check the default privacy settings or label the data correctly, the information became searchable on the open web.
Data Encryption, Access Controls and Backup Procedures
Video
Data Handling Guidelines for Employees
Guide
Not all data is created equal. Data Classification is the process of labeling information so that we know how to handle, share, and protect it according to its sensitivity.
Role in Maintaining the Organizations's Security Posture
Video
See Something, Say Something
Guide
Employee Offboarding Security Checklist
Guide
Security isn’t just about stopping hackers from the outside; it’s about ensuring that those with legitimate access—employees, contractors, and partners—use that access responsibly.
You're halfway through. Want the complete calendar as a printable PDF?
Get the Full Calendar + Monthly Training Kits
We'll send you a printable PDF calendar and monthly training tips you can forward to your entire team.
Printable 12-month wall calendar (PDF)
Monthly war story + tip summaries
NIST control references per month
Admin checklist for each topic
You have access to the full year resources
You can now access all calendar resources.
Join 5,000+ companies. One email with your calendar. Unsubscribe anytime.
July
NIST PR.AT-2
“Preparing for the Inevitable”
Social Engineering
War Story
The Deepfake CFO $25 Million Call
A finance worker at a multinational firm in Hong Kong was invited to a video conference with the company’s CFO and several colleagues. The “CFO” ordered a secret $25 million transfer for a new acquisition. It was later revealed that every person on that call, except the victim, was an AI-generated deepfake created from public footage.
Artificial Intelligence has eliminated the ability to trust your eyes and ears online. For a consulting firm, this means 'Standard Operating Procedures' (SOPs) are the only thing standing between a legitimate request and a multi-million dollar fraud.
August
NIST ID.SC-1
“Building a Human Firewall”
Third-Party Risk
War Story
The SolarWinds Supply Chain Trojan
In 2020, hackers compromised SolarWinds, a software provider. They hid a “backdoor” inside a legitimate software update. When 18,000 customers—including the US Treasury and major Fortune 500 firms—downloaded the “trusted” update, they unknowingly granted hackers full access to their private networks.
Approved Software Register Template & Request Process
Guide
Third-Party Privileged Access
Video
Your security is only as strong as the weakest vendor you use. A single compromised 'helper' tool can act as a Trojan Horse, bypassing all of your internal defenses.
September
NIST PR.IP-9
“Securing Your Extended Ecosystem”
Ransomware
War Story
The SolarWinds Supply Chain Trojan
In May 2021, a single leaked password for a dormant VPN account allowed hackers to enter the Colonial Pipeline network. They deployed ransomware, forcing a total shutdown of the fuel supply for the US East Coast and triggering a national state of emergency.
Ransomware isn't just about lost files; it’s about business survival. A single weak 'key' can stop a multi-billion dollar operation and cause global headlines.
October
NIST PR.IP-9
“Protecting the Physical World”
Ransomware
War Story
The SolarWinds Supply Chain Trojan
During a recent security audit, a simulated phish was sent to 5,000 staff. Within 90 seconds, 400 employees reported the email. This allowed the security team to “kill” the malicious link globally before a single person could click it, preventing a potential multi-million dollar breach.
Technology can only stop about 90% of attacks. The final 10% is up to you. A single report can save the entire company. Security isn't just an IT job; it's a team sport.
November
NIST DE.DP-1
“Securing the Cloud Environment”
Incident Reporting
War Story
The Uber Cost of Silence
In 2016, Uber was breached, losing data on 57 million users. Instead of reporting it, executives paid hackers $100,000 to keep quiet. This cover-up led to federal prosecution of their Chief Security Officer and massive fines that far outweighed the cost of the original breach.
An Incident Response Plan Template for Any Security Event
Guide
The 'cover-up' is almost always worse than the crime. In cybersecurity, speed is survival. The faster IT knows about an issue, the faster they can 'stop the bleeding.'
December
NIST PR.AT-2
“Meeting Regulatory Requirements”
Scams & Fraud
War Story
The CEO Urgent Gift Card Request
During a busy December week, an assistant received an “urgent” email from the CEO: “I’m in a meeting and need to reward some clients. Go buy 10 $100 Apple Gift Cards and send me the codes ASAP.” The assistant complied, and the company lost $1,000. It was a classic “spoofing” scam.
Scammers exploit the holiday rush because they know we are distracted. For a consulting firm, 'Business Email Compromise' (BEC) is the most common way money is stolen.
Implement the Full Calendar
Deploy this year-long security awareness program with Symbol Security's automated training platform. Schedule simulations, track progress, and measure security culture improvement.