Cybersecurity awareness campaigns.

How to organize an effective digital security awareness campaign.

Most organizations have cybersecurity systems and technological defenses against the growing number of cyber attacks from various types of cybercriminals. About 70% of these attacks target computer and cell phone users.

Given this reality, many companies and government agencies are considering conducting cybersecurity awareness campaigns for their entire workforce. Through these campaigns, organizations raise awareness among their users, increasing their level of protection and reducing digital security incidents.

The serious consequences of cybersecurity attacks

All organizations are continually exposed to cybersecurity threats posing significant risks. Businesses and government entities suffer daily from the consequences of cybercriminal actions.

These consequences vary and include economic losses, temporary shutdowns, or exposure of sensitive data. For instance, in November 2021, a well-known Spanish beer manufacturer had to stop production for several days because someone downloaded a document from a malicious email containing ransomware.

A recent report from the IC3 (Internet Crime Complaint Center – FBI) recorded economic losses of $6.9 billion in 2021, based on 847,376 reports from affected individuals or entities. The same report shows a clear increase in economic losses year over year.

Source: 2021 Internet Crime Report, FBI’s Internet Crime Complaint Center (IC3) – https://www.ic3.gov/

Given this reality, the main objective of digital security awareness campaigns is to change user behavior in the face of cybersecurity threats. In other words, the aim is to ensure that users are able to recognize threats and react in the most appropriate way to avoid falling victim to cybercriminals.

Initial diagnosis

One of the steps often included in awareness campaigns involves assessing employees’ level of knowledge and skills in recognizing and preventing cyber security attacks.

One common way to assess the initial situation is to conduct a simulated “phishing” or “ransomware” attack using specific technology platforms designed for these simulations. In this way, the organization sends a disguised email to everyone in the organization and analyzes how users interact with messages that have the same features as malicious messages, but are completely harmless in the context of the diagnostic simulation.

Attack simulations provide a lot of information to organizations’ cybersecurity managers, but there are some issues to consider. For example, just because a specific user responds correctly to a simulated attack doesn’t guarantee they did so knowingly. On the other hand, users who respond incorrectly may find themselves in uncomfortable situations that, after all, have ultimately been created by the organization itself.

Other diagnostic strategies include conducting tests such as questionnaires or initial knowledge tests.

This approach offers some advantages: it is less invasive than simulations and creates an opportunity to reach almost the entire workforce in a planned and uniform manner.

On-line training and education

Training and development courses are often the central action of cybersecurity awareness campaigns. The most common method is online self-paced courses because of the advantages they offer compared to classroom training. Online training is much more economical and allows you to train a large workforce more quickly.

There are highly effective online courses that include interactive activities, simulations of real-life situations, practice exercises, and assessment tests. These components ensure that each user achieves a high level of protection through the knowledge and skills shared with the participants.

The main features of effective learning material are:

• Simulation of situations using typical work scenarios, images, characters and dialogues that allow participants to identify and place themselves in context, thus fostering interest in continuing the learning process and reaching the desired level of knowledge and engagement.
• Interactive simulations of typical cybersecurity threats. These simulations will guide participants through specific situations, facilitating the practice of correct behaviors in a safe simulated environment.
• Technical concepts intended to contextualize the safety procedures that are the object of learning.
• Step-by-step instructions through tutorial formats.
• Educational resources in the form of practices, questions, and interactions aimed at maintaining the participants’ attention and increasing the effectiveness of learning.
• Brevity: each module lasting between 15 and 20 minutes.
• Measurable learning with the ability to track time spent and evaluation elements from which to report results.

Corporate messages, posters, and banners

There are many other elements that complement the courses. For example, organizations can include digital security risk prevention among their internal corporate messages. Periodically, and under the sponsorship of senior management, these corporate awareness messages can include news, reminders, and information on specific threats for which an alert level needs to be maintained. Banks, for example, practice these techniques with their customers. Most of these entities send messages informing about possible risks and guidelines to follow to avoid becoming victims of bank fraud.

Other elements are banners that can be incorporated into corporate intranet web pages. Similarly, but on a physical level, another strategy is to distribute posters in areas such as break rooms or conference rooms.

With all these elements, organizations ensure that digital security becomes part of the daily routine for the entire staff, thereby increasing the level of protection that depends on the behavior of their users.

Continuous process

Digital security awareness should be seen as an ongoing process over time. A campaign based on a single action will lose its effectiveness as the months go by. Another important reason is that new threats are constantly emerging, which can be included in successive awareness-raising actions.

To avoid this “forgetting” effect, cybersecurity prevention must be viewed as a continuous process in which learning actions, corporate messages, and other elements previously described are carried out successively.