A year-long security awareness calendar mapped to the NIST framework. Monthly themes, cautionary tales, and checklists to strengthen your security posture.
ALIGNED WITH NIST SP 800-50 · SP 800-53 · CSF · UPDATED FOR 2026
The 2026 NIST Security Awareness Calendar
Your entire year of security training, planned. 12 months. 12 real-world attack stories. Actionable tips your team will actually remember.
Used by 5,000+ companies and 100+ MSP partners
SHARE:
January
NIST PR.AC-1, IA-2
“The Keys to the Kingdom”
Access Control
War Story
MGM Resorts 2023
In September 2023, the MGM Resorts empire was paralyzed: slot machines went dark, hotel keys failed, and systems were encrypted. The hackers didn’t crack a code; they used LinkedIn to find an employee’s details. They called the IT Help Desk, impersonated the employee, and convinced a technician to reset the employee’s MFA to a device the hackers controlled.
January focuses on access control and identity. Strong passwords and MFA are the keys to your systems. Learn how to keep them out of the wrong hands today.
February
NIST PR.AT-2
“Recognizing & Defeating Email Threats”
Phishing Awareness
War Story
The 'Browser Update' Trap
An insurance company recently suffered a major breach that didn’t start with a shady email. Instead, an employee visited a legitimate, well-known website that had been silently compromised by hackers.
Beyond the Link: Hovering over a link to check the URL is still good practice, but it isn’t foolproof. Attackers now use “URL shorteners” or “open redirects” to hide their true destination.
February focuses on phishing awareness and email security. Learn to spot the malicious emails that lead to most breaches before anyone clicks the link.
March
NIST PR.AT-2
“Securing Sensitive Information”
Physical Security
War Story
The Donut Breach
In a famous “Piggyback” breach, a penetration tester (a professional hired to test security) managed to enter a high-security data center without a badge or a key.
Tailgating Checklist: Keep Unauthorized People Out
Guide
March focuses on physical security. Even the strongest firewall cannot help if an unauthorized person can walk in and reach a workstation or a server.
April
NIST PR.AC-3
“Taking Security anywhere we go”
Mobile & Remote Work
War Story
The 'Evil Twin' Wi-Fi
An executive waiting for a flight connected to what they thought was the airport’s official Wi-Fi, labeled “Airport_Free_HighSpeed.” In reality, it was an “Evil Twin”—a hotspot set up by a hacker sitting nearby with a small device.
Use a VPN: Always turn on the company VPN before accessing work email or files on public Wi-Fi. It creates an encrypted “tunnel” that keeps hackers out.
April focuses on mobile and remote work security. When the office perimeter disappears at home, coffee shops, and airports, your defenses must travel too.
May
NIST ID.AM-5
“Building Secure Network Architecture”
Data Classification
War Story
The NYU Admissions Leak
A significant data exposure occurred at NYU when a database containing thousands of student records was accidentally set to “Public” on a cloud storage platform. The database was intended for internal use only, but because the creator didn’t check the default privacy settings or label the data correctly, the information became searchable on the open web.
Data Encryption, Access Controls and Backup Procedures
Video
Data Handling Guidelines for Employees
Guide
May focuses on data classification. Not all data is equal. Learn to label information so your team knows how to handle, share, and protect it by sensitivity.
Role in Maintaining the Organizations's Security Posture
Video
See Something, Say Something
Guide
Employee Offboarding Security Checklist
Guide
June focuses on insider threat. Security is not only about outside hackers. Learn how to ensure employees, contractors, and partners use access responsibly.
You're halfway through. Want the complete calendar as a printable PDF?
Get the Full Calendar + Monthly Training Kits
We'll send you a printable PDF calendar and monthly training tips you can forward to your entire team.
Printable 12-month wall calendar (PDF)
Monthly war story + tip summaries
NIST control references per month
Admin checklist for each topic
You have access to the full year resources
You can now access all calendar resources.
Join 5,000+ companies. One email with your calendar. Unsubscribe anytime.
July
NIST PR.AT-2
“Preparing for the Inevitable”
Social Engineering
War Story
The Deepfake CFO $25 Million Call
A finance worker at a multinational firm in Hong Kong was invited to a video conference with the company’s CFO and several colleagues. The “CFO” ordered a secret $25 million transfer for a new acquisition. It was later revealed that every person on that call, except the victim, was an AI-generated deepfake created from public footage.
July focuses on social engineering. AI makes it hard to trust your eyes and ears, so clear procedures are the last line between a request and costly fraud.
August
NIST ID.SC-1
“Building a Human Firewall”
Third-Party Risk
War Story
The SolarWinds Supply Chain Trojan
In 2020, hackers compromised SolarWinds, a software provider. They hid a “backdoor” inside a legitimate software update. When 18,000 customers—including the US Treasury and major Fortune 500 firms—downloaded the “trusted” update, they unknowingly granted hackers full access to their private networks.
Approved Software Register Template & Request Process
Guide
Third-Party Privileged Access
Video
August focuses on third-party risk. Your security is only as strong as your weakest vendor. One compromised tool can bypass all of your internal defenses.
September
NIST PR.IP-9
“Securing Your Extended Ecosystem”
Ransomware
War Story
The SolarWinds Supply Chain Trojan
In May 2021, a single leaked password for a dormant VPN account allowed hackers to enter the Colonial Pipeline network. They deployed ransomware, forcing a total shutdown of the fuel supply for the US East Coast and triggering a national state of emergency.
September focuses on ransomware. It is not just about lost files but business survival. Learn how a single weak password can halt an entire operation.
October
NIST PR.IP-9
“Protecting the Physical World”
Ransomware
War Story
The SolarWinds Supply Chain Trojan
During a recent security audit, a simulated phish was sent to 5,000 staff. Within 90 seconds, 400 employees reported the email. This allowed the security team to “kill” the malicious link globally before a single person could click it, preventing a potential multi-million dollar breach.
October focuses on ransomware response. Technology stops about 90% of attacks. The final 10% is your people, and a single report can save the company.
November
NIST DE.DP-1
“Securing the Cloud Environment”
Incident Reporting
War Story
The Uber Cost of Silence
In 2016, Uber was breached, losing data on 57 million users. Instead of reporting it, executives paid hackers $100,000 to keep quiet. This cover-up led to federal prosecution of their Chief Security Officer and massive fines that far outweighed the cost of the original breach.
An Incident Response Plan Template for Any Security Event
Guide
November focuses on incident reporting. In cybersecurity, speed is survival. The faster IT hears about an issue, the faster the team can stop the damage.
December
NIST PR.AT-2
“Meeting Regulatory Requirements”
Scams & Fraud
War Story
The CEO Urgent Gift Card Request
During a busy December week, an assistant received an “urgent” email from the CEO: “I’m in a meeting and need to reward some clients. Go buy 10 $100 Apple Gift Cards and send me the codes ASAP.” The assistant complied, and the company lost $1,000. It was a classic “spoofing” scam.
December focuses on scams and fraud. Attackers exploit the holiday rush, and business email compromise is the most common way money gets stolen. Stay alert.
Implement the Full Calendar
Deploy this year-long security awareness program with Symbol Security's automated training platform. Schedule simulations, track progress, and measure security culture improvement.