How to set up a cyber security awareness campaign in 6 steps

Every single organization with a digital presence risks being targeted by cyber criminals. Over the past few years, the number cyber-attacks targeting both small and enterprise organizations have skyrocketed.

No matter how well you prepare your organization for these attacks with the best technology, 95% of all hacks and data leaks stem from human error. From clicking phishing links to using weak passwords — a lack of cyber security awareness can have catastrophic consequences.

Cyber security isn’t a sexy topic. That’s why many organizations struggle with promoting cyber security awareness within their organization. In this article, we’ll help you set up a cyber security awareness campaign in 6 steps.

1. Create an information security policy

An information security policy is crucial to ensure the security of sensitive information and your digital assets. It forms the basis that every individual in your organization can fall back on when it comes to information security.

A general outline of an information security policy looks something like this:

1. Scope and objectives

• Define the scope of the policy: What systems, networks, and data are covered?
• Outline the objectives: What are the goals of the cybersecurity policy? This could include protecting data integrity, ensuring confidentiality, and maintaining availability.

2. Roles and responsibilities

• Define the roles and responsibilities of individuals within the organization regarding cybersecurity.
• Identify who is responsible for implementing and enforcing the policy.

3. Risk assessment

• Conduct a risk assessment to identify potential threats and vulnerabilities.
• Evaluate the potential impact of these threats on your organization.

4. Security controls

• Implement security controls to mitigate identified risks. This could include:
  • Access controls: Limiting access to sensitive information.
  • Encryption: Encrypting data both in transit and at rest.
  • Firewalls and intrusion detection/prevention systems: Protecting networks from unauthorized access.
  • Patch management: Ensuring systems are up to date with the latest security patches.
  • Incident response: Establishing procedures for responding to security incidents.

5. Data protection

• Define how sensitive data should be handled, stored, and transmitted.
• Establish guidelines for data encryption, data backups, and data retention.

6. Incident response plan

• Develop an incident response plan outlining the steps to take in the event of a security breach or incident.
• Define roles and responsibilities during a security incident.
• Establish communication protocols for notifying relevant stakeholders.

7. Compliance and regulations

• Ensure compliance with relevant laws, regulations, and industry standards (e.g., GDPR, HIPAA, PCI DSS).
• Stay informed about changes in regulations and update the cybersecurity policy accordingly.

8. Monitoring and review

• Implement monitoring systems to detect and respond to security threats in real-time.
• Regularly review and update the cybersecurity policy to reflect changes in technology, threats, and business processes.

9. Testing and evaluation

• • Regularly test the effectiveness of security controls through penetration testing, vulnerability assessments, and tabletop exercises.
  • Evaluate the cybersecurity policy and make adjustments as necessary based on the results of testing and emerging threats.

2. Regularly communicate policies and each employee’s role

Having a policy in place is step one. From here on out, it’s about creating the awareness among employees that the policy exists and that they should understand the content of it.

First, you should clearly document your security policy. Make sure the document is well-structured and can be easily scanned through. Also, try to avoid complex language. It’s easy to overestimate how well-versed our employees may be in certain technical terms. The goal is for your employees to understand every line.

Next, you want to make sure that the security policy is easily accessible to the entire organization. Only sending it via email won’t suffice — as it’ll quickly get buried in other email. Instead, try using a knowledge base such as Notion or Tettra.

After that, it’s all about communication, communication, communication. Let’s face it, a big chunk of people in your organization will need a lot of convincing before they open any document with the word ‘policy’ in its title. Most of us don’t want to actually think about cyber security until it’s too late. A one-time email or Slack message isn’t going to cut it.

Your organization is going to need to communicate this regularly. The key here is ‘your organization’. Make sure that your CEO is on board and regularly mentions security in company presentations, emails, and so on. Further, ensure that employee onboarding goes over security too.

But the very most important thing you can do to communicate the importance of security is by offering training.

3. Organize regular security awareness training

Most people in your organization won’t read your security policy. And even if they do, reading a policy only gets you so far. Reading theory without any real practice usually results in little to no behavior change.

Here’s where security awareness training comes in. By regularly training your employees with bite-sized challenges, they can learn about the cyber risks that are out there, how to spot them, and how to report them.

Many information security standards such as NIS2 and ISO 27001 name security awareness training as a hard requirement. This means you won’t make it through your ISO audit without a training program in place.

There are a few different types of security awareness training:

• • 1. In-person training: During in-person training, a teacher comes to your location to give training to larger groups. These types of training aren’t seen often anymore. Overall, these trainings usually take a lot of time and employees often are not engaged or don’t show up at all.
    2. Online courses: Online courses bring these in-person trainings to the internet. Usually, these courses come with a lot of reading, scrolling through powerpoint presentations, and watching long videos. Again, not the most engaging method for most users, as time is often limited.
    3. Micro-training: With modern security awareness training software, users get a weekly or monthly micro-challenge that takes a few minutes to complete. During these challenges, they learn about modern cyber threats like deepfakes, spear phishing, and malware.

The newest trend in security awareness training is gamification. Tools like Guardey keep users engaged with short challenges, a compelling storyline, rewards, and even a company-wide leaderboard to add a fun competitive element. This makes it easier to improve participation and comply with security standards like ISO 27001 and NIS 2.

→ Learn more about gamification in security awareness training

4. Simulate spear phishing attacks

Phishing still is the most-used tactic by cybercriminals. With phishing, criminals send out fake emails that contains a link. When the receiver clicks the link, the criminal gets the opportunity to hack them. In the past few years, most people have learned not to trust every email. That’s why cybercriminals had to get smarter, and they have.

With spear phishing, criminals first do some in-depth research about the person they are targeting. They often use social media to extract information about their targets and/or friends. Next, they use the information from social media to pose as a trustworthy source.

 

Many organizations train phishing by engaging in regular phishing simulations. These simulations are often automated and use general templates — without researching their target at hand. It can be a useful exercise, but doesn’t prepare employees for spear phishing. That’s why you can now also simulate spear phishing attacks at some vendors.

→ Learn more about spear phishing simulations

5. Spread reminder materials throughout the office

Setting up a cyber security awareness campaign for your employees doesn’t always need to be complex. Sometimes, a good ol’ poster, flyer, or sticky note can also be a good reminder to change your password, turn on the VPN, or close your device before going to the bathroom.

6. Organize a recurring cyber security event

In-person events are the most powerful way to get your employees onboard with security awareness. That’s why it can be such a powerful part of a cyber security awareness campaign. It’s time-consuming and requires some planning, but it’s worth it.

EyeOn, an organization from the Netherlands, decided to organize a full cyber security week to start off their cyber security awareness campaign. During the week, they had daily presentations which they called the ‘safety catch-up’. Each day had a different theme, from CEO fraud to ISO 27001 compliance. They also came up with challenges to get their employees in action. By scoring points, you could even win a trophy at the end of the week.

→ Click here to read EyeOn’s entire story

Getting people to truly grasp the importance of cyber security can be hard. People are busy. They’ll scan over your email and forget about it. They’ll hear it during a presentation and not take it seriously. But an event like this truly forces everybody to lay down their work and pay attention. After that, your other initiatives will have a much softer landing.