The rollout of an internal cyber security program is both a political and human project especially since 2021 saw a real surge in cyber attacks that still continue to soar.

Believing that a cyber security program is strictly an IT initiative and touches on the technical and technology aspects only is a major misconception. It is like thinking that the Coronavirus is a concern only for doctors and healthcare professionals.
In actual fact, beating the Covid-19 takes a collective effort: first the front-line health workers, then the politicians conducting operations and society as a whole embracing the momentum. Same thing for cyber crime. It is a threat that can only be thwarted collectively.

The rollout of an internal cyber security program is both a political and human project especially since 2021 saw a real surge in cyber attacks that still continue to soar.

Very few users know this but remote working leaves businesses increasingly vulnerable to cyber attacks. What is worse is that even fewer users know how to protect against these attacks.
In the face of this growing threat, running a cybersecurity awareness campaign is essential. It helps explain the risks and dangers of this pandemic to all employees and make sure they understand what to do and not do to stay safe. An awareness campaign may be conducted in several ways: using videos, email blasts, game apps, quizzes…

Nevertheless, in order to reach out to as many employees as possible and get the most user buy-in, the campaign needs to be both instructive and fun but especially understood by all. Moreover, for it to be efficient and a real game-changer in people’s habits and usages it has to be planned as a long-term initiative.

Raising awareness, testing, addressing…does it ring a bell? I can even picture the CIOs in scrubs.

Political mobilization…

The most important challenge in a cybersecurity campaign is getting the message across to all the employees on how hacking works. We are not dealing with a strictly IT project per se. It is an all-inclusive group initiative that requires support and leadership on behalf of the HR and Communication departments right from the start in order to get everybody’s buy-in.

The key to building buy-in is all about people-readiness: from top management to all the rank-and- file employees with local management teams relaying and reinforcing the campaign. Without a clear call to action and deep understanding of what is at stake, an awareness campaign will do very little to change our habits and will surely not contribute to getting rid of the pandemic.

… raising awareness…

Relying on technical solutions and tools is not enough. To fight cyber crime you have to have all the employees understand the dangers and what is at stake. Building immunity to cyber attacks can only be achieved through awareness.

The awareness campaign is an efficient tool that works like a vaccine. It is instilled in people’s minds and triggers an immune response almost instantly with users knowing exactly what to do. To foster buy-in and efficiency an awareness campaign has to cater to your target population.

Hence, the first and certainly the most crucial step of such a program, consists in assessing one’s knowledge on information security. A questionnaire is usually used for this step.

The campaign can then be launched using several formats. Workshops could be set up for specific groups focusing on the specific threats they may encounter. Videos or a series of short video episodes for all employees can be used to explain the different risks and dangers (WAP, phishing, DDoS, cookies, etc.). Using videos is a very efficient, entertaining and intuitive way of illustrating and explaining the different risk factors that are usually intangible for us as users behind our computers.

And finally, this kind of campaign can be used to set up a competition between the countries of an international organization with game apps, as a way to generate more interest and engagement. Organizing such challenges or competitions is also a good way to measure the buy-in of employees and check if the awareness campaign and related programs are taken seriously.

… and setting up a long-term action plan

For a cybersecurity campaign to be efficient, it has to be thought through to last. The program has to be updated regularly, has to factor in the different training availabilities of employees and remain abreast of the various technological advances. Goals have been set in order to evaluate achievement. The coordinators of this program can therefore continue to support and promote training content to employees accordingly. Setting achievement goals year after year helps create a positive dynamic and a virtuous circle that in time will keep the pandemic at bay for good.

The goal therefore of a cybersecurity awareness campaign is twofold: trying to bring together all the employees in the long run and getting as much buy-in as possible. It is nothing more than conducting Change Management for all the employees of an organization bringing in all the stakeholders to take part in order to reach the Holy Grail of Cyber Safety: Herd Immunity.

Just like the Coronavirus, there may very well be the emergence of new strains. When it comes to hackers, it is impossible to uncover all the different tricks and ruses they can come up with because they are usually one step ahead of everyone.

The only way to keep safe in this technological wild west is to embrace the situation as an additional opportunity to break down the barriers of innovation.

READ THIS ARTICLE ON SILICON.FR