In today’s digital landscape, cybersecurity awareness is not just a nice-to-have; it’s a critical component of an organization’s overall security strategy. An annual cybersecurity awareness plan ensures that employees stay informed, vigilant, and equipped to defend against cyber threats. In this article, we’ll outline key elements to help you get started with creating your comprehensive awareness plan.
1. Assess Your Current State
Before diving into planning, assess your organization’s current cybersecurity awareness level. Conduct a baseline assessment to identify:
All current security awareness activities.
The cybersecurity topics you cover.
The frequency in which employees engage with your content.
How easy it is for someone without any technical knowledge to understand your key messages.
How visually engaging and eye-catching your content is.
Visualise these activities across a calendar year to represent your current baseline cyber awareness plan. This can help you identify if your current efforts are frequent enough to drive the expected outcomes.
If you can add your reach and engagement to each activity, such as how many times a person read your article or reported a phishing email, then you will have a measurable baseline to assess your efforts against.
2. Set Clear Objectives
It's important to understand the objectives you are trying to achieve with your security awareness efforts. This can change from business to business, however a fundamental truth to include in every awareness activity is behavioural change.
There are safe cybersecurity behaviours that can help protect your business from cyber compromise, and unsafe behaviours that can lead to a cyber compromise. Understanding what the safe behaviours are is crucial as it should be the primary pillar in your awareness plan.
Define specific objectives for your awareness plan that align to safe cybersecurity behaviours. For example:
Increase Phishing Awareness: Teach employees to recognize phishing emails, avoid clicking suspicious links, and report messages to your IT department.
Breaking the above objective down into its core behavioural elements will provide a guideline for pieces of awareness content and messaging. For example:
Teach employees to recognize phishing emails.
Avoid clicking suspicious links.
Report messages to your IT department.
Don't be afraid to extend your awareness activates to priority business objectives, policy, frameworks, strategies, attestations and other pieces of compliance activity - Remember that if you are setting an expectation of your people through policies and attestations, its critical to support your staff with the awareness they need to meet those expectations.
Now that you have the methodology behind defining the 'What', it's time to look at the 'How'...
3. Create a Year-Long Calendar of Content
A golden rule for increasing an organisations security behaviour and culture is to spread awareness activities throughout the year. Short, sweet and frequent awareness has been proven to be the most effective.
The second golden rule is to vary the mediums you use to create your content. Employees have different learning styles - some are visual learners, others are auditory and so on. Ensuring you have a healthy mix of mediums is essential.
Don't be afraid to explore, test and trail new types of content and how its delivered - this can lead to some amazing results! Some ideas to get you started:
Email Campaigns: Include eye-catching subject lines to encourage opens.
Posters and Infographics: Design visually appealing posters and infographics.
Comic Strips and Cartoons: Use relatable scenarios and stories to convey messages.
Intranet or Internal Websites: Create a dedicated security awareness section on your intranet.
Videos and Webinars: Host webinars with guest speakers or internal experts.
Interactive Quizzes and Games: Gamify learning with interactive challenges.
Lunch-and-Learn Sessions: Discuss recent security incidents, best practices, and FAQs.
Screensavers and Desktop Wallpapers: Create custom screensavers or wallpapers with security reminders and rotate them periodically.
Interactive Workshops and Training Sessions: Invite employees to participate actively.
Physical Swag and Giveaways: Distribute branded items (e.g. pens coffee mugs, etc) with security messages.
4. Content Creation for your Cyber Awareness Plan
Once you've determined 'What' to include in your annual awareness plan, and 'How' you want to deliver it, it's time to start exploring how you want to create your content. There are three primary ways to create content, each with its pro's and con's:
Creating Content Yourself:
Pros:
Control: You have full control over the content, ensuring it aligns perfectly with your brand voice and messaging.
Business Knowledge: You intimately understand your business, products, and audience. Cons:
Time-Consuming: Content creation can be time-intensive, especially if you’re managing other aspects of your business.
Skill Requirements: You need cyber security expertise, writing, design, and communication skills.
Hiring a Security Consultancy:
Pros:
Expertise: Consultants bring specialized knowledge and experience.
Efficiency: They can create content faster than you might on your own.
Strategic Guidance: Consultants can help shape your overall content strategy. Cons:
Cost: Hiring consultants can be expensive.
Dependency: You rely on external expertise.
Purchasing Premade Content:
Pros:
Time-Saving: Instant access to ready-made content.
Cost-Efficient: Significantly cheaper than custom content creation. Cons:
Limited Customization: You can’t tailor it precisely to your brand.
A great example of a premade cyber awareness campaign kit is Education Arcades offering: "First Line of Defence: Cyber Compromise".
Remember, the best approach depends on your specific needs, resources, and goals. Some businesses combine these methods for a balanced content strategy.
5. Engage Leadership and Champions
Generating buy in is essential for all successful security awareness activities, including your cyber awareness plan. There are a few fundamental things to get right with creating advocates for your cyber awareness plan:
Identify the senior leaders across your business.
Understand their business needs and priority activities.
Articulate how safe cyber behaviours across their teams can help them deliver on their goals. For example: Identifying phishing emails can prevent a cyber compromise and mitigate the risk of a business disruption incident.
Identify people of influence and ask for their help.
The key with building support for your awareness plan is relationships - if you show that you care about their business and are genuine in your request for their help in keeping it secure, most people will completely back you.
6. Measure and Adjust
Remember when we said: 'test and trail new types of content'? Well just because a piece of content is in your annual plan doesn't mean you need to stick to it.
Measure your engagement and reach for each piece of awareness you do within the month, compare it to your baseline of activities and if it's improved over the quarter, you're good! If you see a material decrease, talk to your people to understand the root cause. It may mean you need to change the delivery method, the content medium or both in order to meet your audiences' learning styles.
Boost your measurement activities by creating security behaviour, outcome-driven metrics. This will enable you to measure the exact objectives you set out in section 2 above and give your leaders the assurance they need that your first line of defence (your people), are an effective preventative control against cyber compromise!