Humans: the most vital link in cybersecurity?

Employees are often presented as the weakest link in the data protection chain. However, if they are aware and informed of the risks that some of their actions can bring to their organization, they constitute a solid barrier against cyber-attacks.

Far from being exhaustive, this article intends to help CISOs, like other security managers, create and manage effective awareness campaigns.

Implementing an awareness campaign requires a long-term vision and a response to specific objectives. To do this, it is essential to detail the needs and defines an awareness strategy. It meets two goals:

• identifying targets

• managing the “awareness” project

These two points must, of course, be adapted to the size of the company. The larger the structure, the more targets there will be.

Defining an outreach strategy means clarifying the following:

• Languages: which is the most spoken language? In general, the languages are chosen to allow us to reach at least 80% of the population.

• The population: who should learn? It can be members of the executive committee, managers, employees, or more specific people such as developers.

• Themes: what risk(s) do we want to alert about? What good practices should be addressed?

• Priorities: what are the main targets during the first year? The second-year? Which themes should be recurrent?

• Vectors: what are the communication and awareness vectors available in the company? Should new vectors be deployed?

• The constraints: what are the deadlines? What budget must be respected?

It is essential to involve the teams in charge of communication at a very early stage. Indeed, they have expertise that can prove invaluable, particularly on the most appropriate style, the language elements to use or avoid, etc.

They are also able to distribute the messages to all employees via their internal distribution networks.

In an awareness campaign, the important thing is to make an impression. It is essential to make sure that the targeted employees feel concerned and retain the proposed lessons.

Ideally, an effective campaign should offer devices adapted to different targets and mix various awareness tools (e-learning, games, posters, emails, etc.).

It would be a shame to neglect the tone and visual identity of the campaign. Humor and games remain valuable learning and memorization vectors that should not be overlooked.

The launch of an awareness campaign either motivates its success or not. The purpose of this moment is to:

• to challenge the participants

• to quickly promote the adhesion of the targets

• to federate around the project (create word-of-mouth)

Several options are possible (depending, of course, on the budget), from an announcement by email to a dedicated day with several animations.

How do you judge the success of an awareness campaign? It is recommended to define precise and measurable indicators. They are specific to each company and especially to each campaign.

How long does it take to educate employees about cyber? Most of the time, we plan strategies that take several months or even years. Rome wasn’t built in a day; to bring about and sustain behavior change, patience is vital.