It's a fact: attackers are redoubling their ingenuity to make their phishing attacks realistic and less and less discernible to the untrained eye. However, you have the keys to reducing the success of cyber attacks, if not completely neutralising them. By raising awareness among your employees, who are the cybercriminals' prime targets, you can reduce the number of them who let themselves be fooled and develop a culture of reporting, which is essential to the success of your cyber strategy and your cyber resilience.
1. Develop a culture of reporting
Because they are the first to be targeted by attackers, your employees are a key gateway to your information systems. As such, they must be the first line of effective defence for your digital assets. However, this depends on their familiarity with cyber issues, their knowledge of the risks and what to do in the event of an incident. Transform your employees' attitude so that they become active members of your first line of defence. To do this, your role is essential.
a) Train your employees
Awareness-raising and training are an essential first step. By giving them a set of guidelines, tangible elements on which they should focus their vigilance, you can give your teams the benchmarks they need to identify security incidents effectively. You can only identify what you already know.
b) Encourage their efforts
For the first awareness-raising stage to be effective, it is important to get a clear message across: to err is human and the phishing traps set by attackers are becoming increasingly sophisticated. In this context, the climate of trust between your staff, your cyber and IT teams is important. Make sure that employees are encouraged in their approach and that they are not afraid to report an incident. The climate of encouragement and non-punitive attitude that you create on these subjects is therefore key.
c) Communicate procedures
Communicating with your staff about the right to make mistakes is important. But the next step is essential. An employee who is no longer afraid to report an incident needs to know clearly how and to whom to do so. The channels for reporting incidents or security breaches must be known to your employees and they must be regularly reminded of them.
2. Measure your efforts
Efforts to raise awareness of cyber issues are crucial. In fact, a growing number of companies are committed to doing just that. But the next stage, measurement, is more rarely considered by organisations. And yet it is this measurement that enables the effectiveness of the awareness-raising measures adopted to be monitored. In terms of awareness, two indicators deserve your attention and should be monitored:
a) The number of incidents or information leaks
Make sure you keep a close eye on this rate and actively strive to reduce it. Even if reaching 0% is an ambitious objective, by getting closer to this ideal, you will reduce the subsequent efforts required of your IT teams to resolve incidents.
b) Suspicious event reporting rate
Measuring this rate enables you to monitor the extent to which your employees are embracing the reporting culture. Rather than making them feel guilty when they realise they have been the victim of a malicious campaign, encourage them to report the incident (better late than never). By aiming for a gradual increase in the reporting rate, you can ensure that your employees are involved in your defence, and that they play an active part in stopping attackers making inroads.
Awareness programmes should monitor these 2 indicators in parallel, as it is only together that they can truly measure the impact of the efforts made.
3. Commit to resilience and continuous improvement
When it comes to resilience, it is in the area of cybersecurity that businesses plan to invest the most over the next two years (Global Crisis and Resilience Survey 2023, PwC). The same study shows that companies that have moved to an integrated resilience programme are far more advanced in many essential elements of operational resilience. The same is true of cyber resilience.
Raising awareness and training your employees is an essential step on the road to greater cyber resilience.
Make sure you communicate your efforts, and use the vulnerabilities you identify and the incidents you experience as learning points for your employees.
Make sure that the messages delivered during training are understood and applied. New training technologies can help you to make your training attractive and impactful. Secondly, adapt the content of your cyber awareness and training programmes to the different audiences within your company (managers, users with access to more sensitive data, IT teams, standard users): their needs, knowledge and levels of cyber maturity are all different, but they should all feel concerned in their own way about their company's cyber security. Finally, don't neglect the stage of updating your training programmes, incorporating feedback from experience, new attack techniques or even monitoring data from a Threat Intelligence tool, for example.
Raising awareness must be an integral part of your cybersecurity strategy. If it is to achieve its objectives, it needs to be regularly assessed, be a long-term process to anchor a cyber culture at all levels of the company, and make employees the key players in your organisation's defence.