The creation of Wavestone’s new internal awareness program (2/2)

Cyberrisk Management & Strategy

Posted on

Find the entire story about the creation of TRUST in my first article.

 

A campaign launch is all well, but how do you keep it going over time?

The creation of TRUST was not an end in itself, but a stepping-stone for the future.

At the start of the project, we immediately envisaged the annual pace of our two awareness plans.

Two, because we had to keep in mind that we were raising awareness for two distinct populations: newcomers and existing employees.

For newcomers, the solution is simple: plan the launch of all existing TRUST resources over one year to space out messages.

 

 

For all other employees, it’s more complex. How to get the messages across again without giving a feeling of déjà vu, fatigue or even an overdose?

We have therefore organized our awareness plan with 3 major initiatives spaced out over time.

 

A new monthly meeting: The Trust minute

 

 

A one-minute film broadcasted on all our communication channels to present 5 different messages per month:

  1. An example of an anonymous user or client incident
  2. A Trustee, our security tool presented in the previous article
  3. A security indicator (e.g. the percentage of new recruits who have completed e-learning, the number of those leaving the firm detected downloading documents before they leave). Sharing these indicators helps raising awareness and demonstrates that controls have been lifted.
  4. A daily tip given by our friend Sofia
  5. A popularized cyber news story

 

 

A new campaign of cybercoffee quizzes because it gets results

Of course, we must reinvent it, change the quizzes (but not necessarily the themes) and change the prize? All of this is easy and requires little preparation. Admittedly, this period of lockdown slightly challenged our initial plan. But it has been an opportunity to be creative and to release, in partnership with my colleagues in the Cybersecurity & Digital Trust practice, the new #TotalCyberAwakening video series about lockdown.

 

An annual global event in October during Cyber Security Month

In 2019, we organized a firm-wide competition on the theme of protecting personal digital information.

Every week, all employees received a question by email which they could answer directly via option buttons (sending a multiple-choice approval via Power Automate). Depending on their answer, they received a second email with the answer and the various tips associated to be used on a personal basis.

Answering a question and getting a correct answer would help contributing to a Euro prize fund. More than €2,100 was donated to the ISSA association, an association which Wavestone has partnered with to promote cybersecurity among schools and children.

This first game, based entirely on voluntary participation, enabled us to reach more than a third of Wavestone’s employees.

 

 

We are already preparing for next October’s initiative and this time we will go further with videos, games, meetings, quizzes under a global theme inspired by a famous TV series. What if this time, the new threat of Wavestone was the return of the White Walkers?

 

6 key elements to keep in mind

To sum up, the key elements for creating a successful awareness program are as follows:

  1. Set achievable goals
  2. Define a common thread (a theme, a brand) that will allow users to easily associate your messages with security
  3. Define a short list of messages to be communicated and stick to it
  4. Diversify the media and channels (posters, films, emails, e-learning, games) but always keep at least one event to meet the users
  5. First use the tools already at your disposal (PowerPoint, emails, PowerAutomate) before acquiring new interesting solutions if needed, but not necessarily a priority to get started
  6. Be creative and use humor to get your messages across (however, culture differences may have an impact in case of an international group)