Most of cybersecurity attacks are amplified by the human factor, often seen as the organisation security weakest link. Understanding key risks associated to the workforce unawareness to cyber threats is of great importance and delivers crucial benefits for the organisation’s security posture. Consequences for companies of underinvesting in cybersecurity awareness programs can be articulated from several perspectives:

• Reputational perspective: Negative publicity can result in less business opportunities and potentially cause a decline in customer trust/satisfaction, etc.
• Financial perspective: Cybersecurity attacks can lead a company to make big losses due to data loss, not able to operate the normal business, etc.
• Regulatory perspective: Not being compliant with regulations and standards can result in regulatory sanctions, etc.

These consequences are interconnected and can be lightened through workforce education and awareness increase. Being internally convinced about the importance of awareness on cybersecurity risks starts with understanding them to think and act accordingly. Instructive and tailored cybersecurity awareness campaigns empowers the company to shift the human factor as the weakest link to the organizational strongest link.

Even though securing leadership buy-in with a substantial dedicated budget for cybersecurity awareness programs can be a challenging endeavour, this remains crucial. On the one hand, education and awareness around cybersecurity risks should begin with leadership which will allocate the necessary budget for the requested projects once risks and potential impact are well realized. On the other hand, it is only by “leading by example” that the leadership will make an impact at the organisation level.

At Deloitte, we use a tailored approach to guide companies in setting up their cybersecurity awareness campaigns. The first step in this process is to determine, together with the leadership, the current company’s cybersecurity awareness level. This can be achieved by analysing existing cybersecurity awareness initiatives and identifying areas for improvement.

Once the current cybersecurity awareness state has been defined and analysed, ambitions for the future will be established. This will represent the basis for the selection of awareness activities, tailored to the company culture and ambitions.

During the program, evaluations should be carried out to determine campaigns’ impact and effectiveness. This allows the cybersecurity workgroup to measure progress and demonstrate tangible results to the leadership, create lessons learned and to adjust subsequent cybersecurity awareness initiatives accordingly.        

Following tips will help you to start building your Cybersecurity Awareness Strategy:

• Make sure the leadership supports the cybersecurity awareness program;Define and base the campaigns on the company security key focuses;
• Aim for the long-term change in security behaviour by inspiring employees rather than using fear tactics;
• Don’t start too big, increase the scale of the campaigns by gaining experience;
• Don’t reinvent the wheel. Use free resources that are available on the internet;
• Diversify your communication channels;Define key performance indicators to evaluate your campaigns and use them on a continuous basis; 
• As a collaborative engagement, the leadership should actively listen to employee feedback and take this into account when implementing future initiatives.

According to a publication in the “Journal of Cybersecurity”, measures to determine the effectiveness of a cybersecurity campaign can be defined by three different factors: “Knowledge, Attitude and Behaviour”; highlighting that the right cybersecurity initiatives with the right mindset from employees lead to the intended secure behaviour.

Specific measurement methods for evaluating these three factors include:

• Survey questionnaires or online tests after trainings to evaluate employees’ knowledge on cybersecurity.
• Surveys to gauge employees’ concerns, beliefs and willingness to protect their company enable to measure employees' attitude. Furthermore, the number of visits to the security intranet or public cybersecurity pages can be tracked. In addition, monitoring the attitude of employees’ interest in non-mandatory cybersecurity initiatives such as information booths and cybersecurity awareness games for instance.
• To evaluate employees’ behaviour the following techniques can be used: tracking the number of people reporting potential phishing links or security incidents, performing tests to verify whether employees are using weak passwords, tracking the emails that are sent for private purposes, etc.

In conclusion, raising cybersecurity awareness within a company is a long and continuous journey. It requires persistence, reflection, investment and vision.It is a collective effort whereby everyone must be informed and stay vigilant to secure the digital environment of the company and act as a human firewall.

Leadership buy-in and strong goals setting are a crucial starting point. Education on cybersecurity risks is a key objective and tangible results from cybersecurity awareness programs will encourage further investment and continuation in awareness campaigns.