Have you noticed that it’s June, already?! Crazy how fast time flies by when busy. But Q2 of 2022 is almost ready to be closed, so why not have a peak at what the second half of the year has in store for us? Summer holidays you say? Sandy beaches and happy hour cocktails? Or cool mountain air and challenging MBT tracks? Messily written out-of-office messages, kindly asking to park that question till early September?
Yes. It’s all that. But there is more. For us, it’s October that is highlighted.
October is Cyber Security Awareness Month, the peak season for Security Awareness professionals (and enthusiasts 😉). In Europe, the European Cybersecurity Month (ECSM) has taken place every year since 2013 and has been incorporated in the implementing actions of the Cybersecurity Act (CSA). The focus on making it a yearly recurring event is strong and in today’s world we might need this initiative to spotlight security awareness more than ever.
But October is still 3 months away…
3 reasons why a successful Cyber Security Awareness Month starts NOW!
1. Take your time to get inspired
Cyber Security is a specific yet very broad domain. There are endless topics to cover, levels of complexity, target audiences… Needless to say pinpointing your focus for Cyber Month won’t be easy. Depending on available time and budget it may be difficult to pick the best approach. That is why it is important to take your time to get inspired. How? Here some ideas.
- Take a step back and review what you cover already in the previous quarter. Which topics went down extremely well with your target audience? Which ones didn’t and why?
- What topics people are already familiar with? It might be a good idea to remind your team of what they already know instead of overwhelming them with only new content;
- Do not let a good incident go to waste!
- Make sure to involve the technical teams managing security and dig for input on “real” incidents. Showing people what happened or might happen makes security more tangible;
- Use security awareness topics that are trending in the local media as a coat rack for the message you want to bring across;
- Check what other organizations are talking about this year. Is it relevant for you? No need to reinvent the wheel 😉
- Keep it simple. Focus on 1 topic and make it really stick.
2. Organizing impactful activities takes time!
Once you have a clear view on the topic to cover and the message you want to bring across, it’s important to consider how you want to do that. And let’s be honest, if you really want to make an impact during Cyber Month, sending a boring email that is all work and no play isn’t going to cut it. There is no magic formula but there are a few things that you could consider:
- Triggers and motivation: typically cybersecurity awareness month allows us to be more playful than the rest of the year. Why not using different triggers too?
- Get emotions running: testimonials are among the most relatable tool you can use. Careful with the balance between “scary” and “empowering” stories!
- Talk to the informed ones: propose an in-depth approach. extra-professional resources, panel discussions, external speakers…
- Roll up sleeves: Most of us learn by doing. That is why games, experience workshops and 1to1 demos work well.
Make sure you have a good motivation to attract your people.
- Contests with a final gift are a classic, but you only need to attend a professional fair to see those still work.
- Goodies? Require budget. Physical items may draw negative attention by being perceived as wasteful. Are we against them? No, but choose carefully.
- Make sure you have a good “how this will improve your life” story. Remember that protecting your family and friends is a better motivator than protecting your company (ok, it is not so much of a secret)
You can read in our blog how we applied all this last year or reach out for a demo.
3. Get your stakeholders on board early
Cyber Month is not a one man/girl/team show. No matter how inspiring your activities, if you are running it alone it will be very difficult to bring your message across. That’s why it is crucial to start promoting Cyber Month early towards all stakeholders. Often even before you have anything planned. Getting all off your ducks in a row before summer will give you peace of mind when organizing and planning later on.
Here’s a few stakeholders to consider and why*:
- Top Management: money and support!
- Communications: to make sure you reserve a spot for cyber month on all communication channels (weekly newsletters, intranet, emails, cctv, social media, …);
- Technical teams: back to the “inspiration” argument. And of course to validate content.
- HR: to help you define and identify target audiences and DOs / DON’Ts in the organization.
*Depending on the size of organisation there might be more or less stakeholders to consider.
“Opps! I wish I had read this 2 months ago”
Are you reading this by the 20th September? 0 € on your budget?
Don’t panic. Even with time and money constraints, there is good, generic content freely available on the internet covering at least the top 10 of most current threats. It’s usually even tweakable to make it look and feel branded for your own organisation.
ENISA, the European Union Agency for Cyber Security, coordinates the organisation of the European Cybersecurity Month (ECSM) and act as “hub” for all participating Member States and EU Institutions. The Agency also publishes new materials on yearly basis.
A great resource in Belgium is Safeonweb, an initiative of the Centre for Cyber Security Belgium that also launches a new campaign every year.
If nothing else, these will provide a good starting point. And next year, make sure you start early on!
About the authors
Hannelore Goffin is an experienced consultant within the Cyber Strategy team at NVISO where she is passionate about raising awareness on all cyber related topics, both for the professional and personal context.
Mercedes M Diaz leads NVISO Cyberculture practice. She supports businesses trying to reduce their risks by helping teams understanding their role in protecting the company.