It’s important to recognise that people often are – and will remain – the weakest link of any organisation’s cyber defences. By assessing employee engagement, keeping up with current and potential threats, and raising awareness, the company will be much better equipped to avoid irreversible damage.

Setting up an internal cybersecurity programme

Strengthening an organisation’s cybersecurity culture is a continuous effort that requires a structured approach, clear ownership, and backing by top management. Here are five steps you can take to get started with a cybersecurity programme.

1. Establish a security team: Form a diverse team of security experts with a thorough understanding of the digital threat landscape and passion for fighting cybercrime.
2. Conduct a gap analysis: Assess the current state of the organisation by measuring internal awareness and employee engagement, as well as defining unique team or department needs.
3. Set goals: Define the project scope, and set clear objectives and goals, based on the gap analysis.
4. Develop a plan: Identify specific steps to achieve your goals and address potential gaps. Set deadlines for each step.
5. Assess and adjust: Measure progress and evaluate the impact of activities over time. Redefine goals and edit the plan as needed.

A strong cybersecurity culture is not about imposing rules from the top down; it’s about sharing responsibility, collaborating, and learning. Cybercriminals pose a serious threat not only to organisations as a whole but also to each and every one of us. Involving employees in addressing these threats helps create a sense of ownership and, in turn, embeds cybersecurity into the company’s DNA.

Keep in mind that establishing, maintaining, and expanding a cybersecurity programme is not a one-time effort but an ongoing process. Regularly evaluating and adjusting your approach will help the organisation stay resilient against ever-evolving challenges.

Activities and initiatives

There are plenty of methods for increasing security awareness and interest across an organisation. Most importantly, they should be engaging and rewarding for all participants.

Here are some informative and engaging security activities:

• Training videos: Create short and interactive video snippets, and share them internally to deliver visually engaging training. If possible, enable a comment section and encourage viewers to ask questions, share feedback, or discuss key points.
• Ethical hacking: Hire professional hackers to test the company’s cybersecurity, employee awareness, and public-facing systems. Include social engineering scenarios, such as phishing simulations, for hands-on learning.
• Webinars and e-learning courses: Host webinars or mandatory e-learning courses. Invite cybersecurity specialists to speak on industry trends and share real-life examples. Make the recordings available on your internal company platforms afterwards, and offer incentives for course completion.
• Workshops: Facilitate group tasks or discussions as part of the cybersecurity training, encouraging collaboration to address potential scenarios and challenges.
• Games: Games – whether it be a multiplayer online game or a board game – offer one of the most engaging learning methods. Try online phishing simulations, cybersecurity jeopardy templates, and security quizzes – or maybe even develop your own game?
• Scavenger hunts: Invite teams to compete in a cybersecurity-themed treasure hunt, and include fun exercises along the way. Not only does it encourage collaboration but also creates a fun and memorable learning experience.
• Posters and flyers: Place eye-catching, funny, and informative posters around the office as important reminders of important actions like using a password manager.
• Recognition and rewards: Recognise and reward proactive behaviour, like reporting suspicious emails or enabling two-factor authentication. A reward could be a team experience, access to specialised training, gift cards, or recognition across internal platforms.

→ Are you familiar with the different types of phishing, and how to prevent them?

Remember, the key to strengthening a company’s cybersecurity culture is keeping track of progress. While it's easy to track metrics from certain activities, such as the number of views on a video or participants in an online meeting, what’s most important – and trickier to measure – is how much information is actually retained. After a completed activity, run tests and evaluate feedback to evaluate the activity’s impact on cybersecurity awareness levels.

Cybersecurity is constantly evolving

An internal cybersecurity programme is not a one-time initiative or limited to specific periods. It should be a top-of-mind priority for all employees, all year round. To achieve this, dedicated security teams should consistently drive awareness campaigns and organise relevant activities, with support from the company’s leadership.

While not all businesses have the resources to maintain a comprehensive cybersecurity programme, there are many smaller-scale initiatives that are effective. Every organisation should tailor its security approach by assessing their unique needs and identifying what matters most.