Cybersecurity awareness campaigns.

How to organize an effective digital security awareness campaign.

Most organizations have cybersecurity systems and technological measures in place to defend against increasing cyber attacks from all types of cybercriminals. About 70% of these attacks target computer and cell phone users.

Given this reality, many companies and public administrations are considering carrying out cybersecurity awareness campaigns aimed at all members of their respective workforces. Thanks to these campaigns, organizations are able to raise awareness among their users, increasing their level of protection and reducing digital security incidents.

The serious consequences of cybersecurity attacks

All organizations are exposed to continuous cybersecurity threats that pose significant risks. Both companies and public administrations suffer the consequences of the actions of cybercriminals on a daily basis. These consequences are very varied and include situations such as economic losses, temporary cessation of activity or exposure of sensitive data. For example, in November 2021, a well-known Spanish beer manufacturing company was forced to stop production for several days because a person downloaded a document from a malicious ransomware-type email.

A recent report by the IC3 (Internet Crime Complaint Center – FBI) estimated economic losses of $6.9 billion US dollars in 2021, corresponding to 847,376 complaints from affected individuals or entities. The same report shows the clear increase in economic losses year after year.

Source: 2021 Internet Crime Report, FBI’s Internet Crime Complaint Center (IC3) – https://www.ic3.gov/

Given this reality, the main objective of digital security awareness campaigns is to change user behavior in the face of cybersecurity threats. In other words, the aim is to ensure that users are able to recognize threats and react in the most appropriate way to avoid falling victim to cybercriminals.

Initial diagnosis

One of the actions that are often part of awareness campaigns is to diagnose the level of knowledge and skills of the workforce in terms of their ability to recognize and avoid cybersecurity attacks.

One of the most common ways to diagnose the initial situation is to perform a simulation of an attack such as “Phishing” or “Ransomware” using specific technology platforms for this type of simulation. In this way, the organization itself sends a “disguised” e-mail message to the entire organization and analyzes how users interact with these messages that have the same characteristics as malicious messages, but in the context of the diagnostic simulation are completely innocuous.

Attack simulations provide a lot of information to organizations’ cybersecurity managers, although they do raise some issues to consider. For example, the fact that a particular user reacts correctly to a simulated attack does not guarantee that he or she did so consciously. On the other hand, users who react incorrectly may find themselves in uncomfortable situations that have ultimately been created by the organization itself.

Other diagnostic strategies consist of tests such as questionnaires or initial knowledge tests. This other approach offers some advantages: they are less invasive than simulations and make it possible to reach almost the entire workforce in a planned and homogeneous manner.

On-line training and education

Training and capacity building courses are often the central action of cybersecurity awareness campaigns. The most common methodology is online self-study courses because of the advantages they offer compared to classroom training. Online training is much more economical and allows you to train a large workforce more quickly.

Highly effective online courses are available that incorporate interactive activities, simulations of real-life situations, practical exercises and evaluation tests. These elements ensure that each user achieves a high level of protection thanks to the knowledge and skills that are transmitted to the participants.

These are the main characteristics of effective learning materials:

  • Simulation of situations, using typical work scenarios, images, characters and dialogues that allow participants to identify themselves and place themselves in the context, thus encouraging interest in following the learning process and reaching the desired level of knowledge and loyalty.
  • Interactive simulations of typical cybersecurity threats. These simulations will guide participants through specific situations, facilitating the practice of correct behaviors in a safe simulated environment.
  • Technical concepts necessary to contextualize the safety procedures that are the object of learning.
  • Step-by-step instructions through tutorial formats.
  • Didactic resources in the form of practices, questions and interactions oriented to maintain the participants’ attention and increase the effectiveness of learning.
  • Short: between 15 and 20 minutes each module.
  • Measurable learning with the ability to track time spent and evaluation elements from which to report results.

Corporate messages, posters and banners

There are many other elements that complement the courses. For example, organizations can include digital security risk prevention among their internal corporate messages. On a regular basis and under the sponsorship of senior management, these corporate awareness messages can include news, reminders and information on specific threats for which an alert level needs to be maintained. An example of this practice is the practice of banks towards their customers. Most of these entities send messages informing about possible risks and guidelines to follow to avoid becoming a victim of bank fraud.

Other elements are banners that can be incorporated into corporate intranet web pages. Along these lines, but on a physical level, another strategy is to distribute posters in places such as coffee areas or meeting rooms.

With all these elements, organizations make digital security part of the daily life of the entire workforce and therefore increase the level of protection that depends on the behavior of its users.

Continuous process

Digital security awareness should be understood as an ongoing process over time. A campaign based on a single action will lose its effectiveness as the months go by. Another important reason is that new threats are constantly appearing that can be included in successive awareness-raising actions.

To avoid this “forgetting” effect, cybersecurity prevention must be understood as a continuous process in which learning actions, corporate messages and other elements described above are followed by learning actions.