This year marks the 20th year of Cybersecurity Awareness Month.

To recognise this milestone date, we interviewed a cyber awareness expert Jack Martin to find out what cyber professionals must do to embed a culture of cyber awareness during cybersecurity awareness month.

1. What is Cybersecurity Awareness Month?

It’s a time to really focus on your marketing, communications and culture. Security teams should use the opportunity to highlight threats, share tips and engage with people throughout your organisation.

Cyber Awareness month is for everyone and should be on everyone’s radar. It’s the security team’s responsibility to do so!

At Wavestone, we ultimately believe that embedding a culture of cyber awareness throughout your organisation is the key to success. Cyber Awareness Month is the perfect platform to build (or reinforce) this message.

2. What are the key topics to consider when thinking about Cyber Awareness?

Almost every organisation’s key threats today are related to phishing and ransomware, which obviously go hand in hand.

Phishing is generally targeted at large groups of people, but can be specifically targeted using spear phishing (targeted email attack) or whaling techniques (targeting very senior individuals). The latter is the biggest threat, as the threat actors can customise or target specific individuals or send out blanket mass emails in the hope of getting even a very small success rate.

With AI, it’s becoming even more important to be alert to phishing attempts and prevent it as much as possible. By being more alert, it can help to prevent one of the major threats, ransomware. This is a malicious attack designed to cause operational harm and negative financial impact. Prevention of ransomware can be achieved through training and awareness such as the creation of a cyber awareness programme.

3. Can you share best practice for a successful cyber awareness programme? 

At Wavestone, our opinion is that embedding a culture of cyber awareness across the entire organisation is key to success. Promoting secure behaviour and creating a culture of security awareness is not a simple task and requires an entire shift in how your organisation looks at security and the culture you have.

To help our clients, we have created a 5 steps process:

TARGET: Have a clear understanding what behaviours and culture you are trying to instil within your organisation.

AUDIENCE: Once the target is set, you can then determine the different audiences within your organisation. There will be a variety of job roles, who interact with IT systems in different ways and subject to different threats. For example, Senior management and Finance teams with access to more privileged information are likely to be a prime target and therefore, require greater attention.

MESSAGE: Clear messaging that will resonate to each audience group is vital. Tailor your messages to illustrate specific threats and what they need to do to stay secure.

ACTIONS: With the messaging finalised, it’s time to think about how to train the users within each of your audience groups using the different messages that you've created. Think about the activities that will be of most value to each group. For example, for who are most at risk of whaling or spearfishing would benefit from taking part in an escape game.

MEASURES: Essential for the success of any change programme. Understanding where you were before, where you are now and analysing if any improvements have been made. It's about working in an agile way by having checkpoints, using these measures to understand the direction of your culture. If initiatives are not having the desired effect, take action straight away, pivot or try something new. It's a cyclical process.

4. What is Wavestone doing to support clients during cyber security awareness month?

In October, the most popular ways of address cyber security awareness month are through demonstrations, fair style pop up stalls and presentations.

We regularly run presentations, live demonstrations and escape games to Senior Management or entire organisations, educating them on the big threats and how this translates to real world business speak. The escape games are a great way to illustrate attacks from the hacker’s perspective. It’s an adaptation of well-known games, such as our new offering, Cluedo, which showcases the threats hackers can exploit through everyday scenarios. These packaged items can be adapted and tailored through collaboration with your security teams. These are always a big hit with our clients!

What we have noticed is that when we perform small interactions, our clients often ask us how the output can help to shape their overall strategy. At this point, we can provide a maturity and gap analysis in behaviours to understand the risks and explore future proofing your place of business. We can then support the design and implement a strategy and methodology for culture strengthening (TAMAM).

Here’s what our clients say about our awareness training:

My team took part in the ransomware awareness training delivered by Wavestone. Thanks to its interactive nature, this session is an excellent way to brush up on crisis reflexes in just one hour. We particularly liked the realism of the training, which is based on a real-life crisis situation managed by Wavestone. The expertise of the facilitators was particularly useful in providing feedback from the field. I’d recommend this session to business teams, cyber teams and executive committees, to help them better understand the importance and best practices of crisis management.

Head of Group CSIRT at Global Bank