October is "National Cybersecurity Awareness Month" and the first week features high-profile congressional hearings into the Equifax hack that will shine a bright light on the unfinished business of shoring up the nation's cyber defenses.

It's only a coincidence that the House Energy and Commerce and Senate Banking committee hearings on Equifax, with appearances by ex-CEO Richard Smith, will ring the opening bell on cyber month. October will also feature a plethora of industry and government events designed to highlight cyber efforts and ways for the public and businesses to get involved.

But the hearings into the Equifax breach that affected 143 million U.S. consumers could offer important, if painful, lessons on what companies should not do when it comes to protecting data and responding to incidents.

Critics say the entire affair suggests a carelessness around cyber hygiene, a failure to use available tools, and policy gaps in areas such as notifying consumers of a breach.

The company reportedly made a half-hearted attempt to use available patches to seal up the vulnerability that hackers exploited to access Equifax's consumer database, and did not use Department of Homeland Security cyber tools made available to all companies.

"I find it troubling that Equifax did not take advantage of DHS' Automated Indicator Sharing program that enables the exchange of cyber threat indicators between the private sector and government at machine speed," said House Homeland Security cybersecurity subcommittee Chairman John Ratcliffe, R-Texas.

"While there is no silver bullet when it comes to cybersecurity, when your responsibility as an organization is to safeguard hundreds of millions of records that contain Americans' personal information, taking advantage of all tools available to best understand the evolving threat landscape seems prudent," Ratcliffe said.

The company also waited six weeks before notifying the public of the breach. There is no federal notification requirement, but many states mandate notice within 30 days so consumers can begin to protect themselves.

The director of the Consumer Financial Protection Bureau announced that his agency will "embed" regulators at Equifax and the two other credit rating agencies to make sure they are adequately securing consumer data.

Congressional Republicans did not immediately comment on that move, but they may push back over concerns about regulatory over-reach.

Equifax is just the latest mega-breach to suggest serious gaps in how the nation addresses cybersecurity.

All is not lost, cybersecurity leaders are quick to emphasize, and policymakers are actually being proactive in some areas.

For instance, the Senate Commerce Committee this week is expected to move bipartisan legislation, which is backed by industry, addressing the cybersecurity of self-driving cars.

And government-industry collaboration on cyber is accelerating under the Trump administration, according to business-sector leaders.

Jared Kushner's Office of American Innovation met last week with industry cyber leaders, according to sources, while White House homeland security adviser Tom Bossert in a speech sketched out a nonregulatory approach to cybersecurity that he said should play to the strengths of government and industry.

These efforts reflect "a remarkable commitment on the part of government to engage with industry on these threats," said Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association.

Mayer said that overall, "the quality of work and commitment" in cyber policy engagements between government and industry "is a notch above where it was."

Other industry sources, however, point to Equifax and say it's a reminder that achievable cyber goals have yet to be reached.

"Eighty percent of the problem remains basic hygiene, fixing exploitable vulnerabilities," said one private-sector cybersecurity veteran. "Why haven't we launched a national awareness campaign to deal with 80 percent of the problem?"

Cybersecurity Month is fine, this source said, but every month should be Cybersecurity Month. "Nobody has ever heard of 'Stop. Think. Connect,'" this source charged, referring to the Department of Homeland Security's centerpiece cyber awareness program.

"If you could improve basic hygiene by half, you would have a major impact on botnets, phishing attacks and the other prevalent threats," the source said.

"We're making progress," this source said, while splashing cold water on any cyber-month celebrations by adding, "but the bad guys are developing advanced tools more quickly than the good guys can respond."

Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.