For years, organizations have invested heavily in cybersecurity awareness. Employees today are more familiar with phishing scams, multifactor authentication, password security, and online threats than ever before. Yet new research suggests awareness alone may not be enough.
The National Cybersecurity Alliance's Oh, Behave! Cybersecurity Attitudes and Behaviors Report 2021-2025 found that while cybersecurity awareness has increased significantly over the past five years, many of the behaviors that help prevent cyber incidents have declined. For housing organizations, this trend presents a growing challenge. As cyber threats become more sophisticated and digital systems play a larger role in daily operations, organizations must find ways to turn awareness into action.
Awareness is rising while secure behaviors are declining
The report highlights a surprising contradiction. Awareness of multifactor authentication (MFA) increased from 52% in 2021 to 77% in 2025. At the same time, the number of people who consistently use MFA declined.
Other security habits have followed a similar pattern. The percentage of people who always install software updates immediately fell from 44% to 31%, while the percentage who always look for signs of phishing dropped from 51% to 36%. Meanwhile, cybercrime victimization increased from 34% to 44% over the same period. These findings suggest that the challenge organizations face today is not a lack of cybersecurity knowledge.
"The issue is no longer awareness," said Troy LePage, executive vice president and chief operating officer at HAI Group. "Most employees understand that cybersecurity matters. The challenge is maintaining secure habits in an environment where people are managing more technology, more information, and more competing priorities than ever before."
As technology continues to evolve, organizations are being asked to navigate a rapidly changing threat landscape that includes artificial intelligence, increasingly sophisticated phishing attempts, and a growing reliance on digital tools.
"Technology is advancing at an incredible pace," LePage said. "Organizations need to focus not only on educating employees about cybersecurity risks but also on creating systems and processes that make secure behavior easier and more consistent."
Understanding cybersecurity fatigue
One reason secure behaviors may be declining is cybersecurity fatigue. The report found that 43% of respondents feel overwhelmed by the amount of cybersecurity information they receive, up from 34% in 2021. At the same time, concern about cybercrime continues to grow, with 68% of respondents expressing worry about becoming a victim.
For many employees, repeated warnings, constant alerts, and an endless stream of new threats can eventually become background noise.
"Human nature is to become desensitized to repeated warnings," said Mike Konopka, manager of information security at HAI Group. "When people hear the same messages over and over, they can start to tune them out, even when the risks are real."
This doesn't mean employees don't care about cybersecurity. Instead, it highlights the need for organizations to rethink how they communicate risk and reinforce good habits.
"People are balancing dozens of responsibilities every day," Konopka said. "If security feels complicated, disruptive, or disconnected from their daily work, it becomes harder to maintain those behaviors consistently."
Why this matters for housing organizations
Cybersecurity incidents can affect every aspect of a housing organization's operations. Housing organizations manage sensitive resident information, financial transactions, vendor relationships, and critical business systems. A successful cyberattack can disrupt operations, expose confidential data, and create significant financial and reputational consequences.
Business email compromise (BEC), phishing attacks, ransomware, and social engineering schemes continue to target organizations of all sizes. Cybercriminals often focus on human behavior because it remains one of the easiest paths into an organization.
"Cybersecurity is no longer just an IT issue," LePage said. "It is an operational risk that affects every department, every employee, and every interaction with residents, vendors, and business partners."
As staffing challenges and competing priorities continue to affect many housing organizations, maintaining strong cybersecurity practices requires an intentional and organization-wide effort.
Hear from Doug Fleming, executive director of the Lansing Housing Commission, on the devastating impact a cyberattack has on a housing organization, and the importance of cybersecurity coverage.
Building a culture of secure behavior
If awareness alone is not enough, what works? According to Konopka, organizations should focus on making cybersecurity practical, relevant, and manageable.
Rather than relying solely on annual training requirements, organizations can reinforce key messages throughout the year with shorter, more targeted communications. Sharing examples of current scams, discussing recent incidents, and providing actionable guidance can help employees understand how cybersecurity applies to their day-to-day responsibilities.
Organizations should also look for opportunities to simplify security processes whenever possible. The easier it is for employees to follow secure practices, the more likely those behaviors are to become routine.
"Good cybersecurity is ultimately about people," Konopka said. "Technology plays an important role, but creating a culture where employees understand their role in protecting the organization is what makes the biggest difference."
Turning awareness into action
The National Cybersecurity Alliance's research highlights an important reality: awareness and action are not the same thing. While employees may understand cybersecurity risks better than ever before, growing complexity, competing priorities, and information overload can make it difficult to consistently apply that knowledge.
For housing organizations, the path forward is not simply providing more cybersecurity training. It is creating an environment where secure behaviors are practical, supported, and reinforced throughout the year. By combining education, leadership support, and user-friendly security practices, organizations can help close the gap between knowing what to do and actually doing it.
Strengthen your organization's cybersecurity posture
Cybersecurity awareness is only one part of building a strong defense against evolving threats. HAI Group offers resources and guidance to help housing organizations strengthen cybersecurity practices, reduce risk, and keep staff informed.
Explore cybersecurity resources
Visit HAI Group's Cybersecurity Resource Center for articles, tools, webinar recordings, and practical guidance designed specifically for housing organizations.
Access the Cybersecurity Center
Explore cybersecurity best practices, threat information, training resources, and tools to help your organization build resilience against cyber threats.
Connect with your risk control consultant
Looking for guidance specific to your organization? Reach out to your HAI Group Risk Control Consultant to discuss training opportunities and risk management strategies.
