Today's digital-first workforce means shadow IT, cloud-based services, and unauthorized AI tools. There has never been a riskier time for a severe cyber incident.
From breaches and intrusions to ransomware and DDoS attacks, every institution is one cybersecurity incident away from a nightmare. Even a compliance violation can trigger a multimillion-dollar fine. Whether it's a department of one or many, M3AAWG calls on digital, security, and technology teams to shape a culture that recognizes these risks and ensures that the behavior of their organizations' entire supply chains reflects that understanding.
Digital, security, and technology departments must establish this culture through:
- A careful, yet relentless campaign of communicating the “why.”
- Securing a total buy-in from the Board of Directors (BOD) and C-suite.
- Delivering continuous awareness efforts and training to their entire supply chain (employees, contractors, vendors, etc.) on attackers' motivations and methods.
Communicating the “Why”
Establishing the “why" can include explaining what the motivations of common attacks are and why weaving a security-first mindset into operations is so important. Communicating the “why” involves getting folks to understand what attackers want and how they operate, as well as mitigating the human factor by knowing how attackers fool people.
"When employees, vendors, contractors, and all those who service your institution know 'the why' behind security procedures, they are far more likely to comply and will do so far less begrudgingly," said M3AAWG Expert Advisor Joe St. Sauver.
As businesses rapidly adopt new AI tools, attack surfaces multiply exponentially — yet the tried-and-true vectors of email, SMS, and other messaging platforms remain as vulnerable as ever. Recent research points to human error as the root cause of 74% to 95% of all data breaches.1
"Attacks will leverage errors by employees, so everyone in the organization has a role to play," said Data and Identity Protection SIG Leader Alex Brotman.
Security teams must build trust and inspire confidence in an increasingly chaotic threat environment.
"For the lion's share of small- and medium-sized businesses, having a knowledgeable IT department or person is absolutely necessary, as is a good partner or managed security service provider (MSSP) that works with your company regularly," added Rod Rasmusen, M3AAWG Expert Advisor.
Securing Buy-In from Leadership
Communicating the “why' is something that cascades through everything security personnel must do in building a resilient culture. This may often start with presenting these risks, and a plan for addressing them, to the Board of Directors and C-Suite.
This step is critical to ensure that the initiatives needed to support a safe digital environment are built into budgets, and that time is prioritized accordingly.
"When staff believe that security best practices are merely lip service, it will undercut these efforts. A holistic approach driven, and adhered to, by leadership demonstrates to everyone that security is of the utmost importance to the organization and is an inflexible core principle," Alex said.
Awareness, Education, and Training
Once the “why” is established and leadership is on board, a communications campaign educating your supply chain on how these criminals operate is the next step. The following considerations are vital:
- Awareness, education, and training need to meet people where they are. Backgrounds may vary substantially so consider building out education initiatives into cohorts that provide a level of instruction appropriate to abilities.
- Keep it continuous and evolving: These initiatives should be ongoing and adapt as companies grow and threats evolve.
- Provide guidelines for detecting and properly reporting messages that appear to pose a threat.
M3AAWG urges security teams to be careful about conducting phishing experiments on personnel, as doing so can erode trust and create friction in reporting issues to the digital department.
"You could alternatively send regular messages which do not mislead in any way but encourage people to report them so they get familiar with the notion of communicating with the security team,” Alex suggested.
Keeping Up with Threats
Staying engaged with M3AAWG is a great way to keep up with the latest twists and turns of the threat landscape. M3AAWG discusses emerging threats at three in-person per year, including the 67th General Meeting taking place June 8–11, 2026, in Montréal, Canada. Additional online engagement opportunities include:
- The M3AAWG blogs and website.
- Social media: Facebook, LinkedIn, and YouTube.
- M3AAWG Engagement Series webinar events (members only)
- Slack - #news-feed channel (members only)
Other sources of information for keeping up with the threats include government and vendor notices such as InfraGard and security bulletins. Ultimately, it's up to each organization to find reliable and timely information and ensure it reaches the people best positioned in your organization to make relevant security decisions. Not an M3AAWG member? Learn about applying for membership here.
1 SentinelOne. (2026, March 12). Key cyber security statistics for 2025. SentinelOne. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/