There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This eighth blog in the series of 8 is about implementing your programme.
It’s now time for the final phase of your awareness programme: the implementation. The foundation of your awareness program has been laid. You know who your target group is, what behaviours you want to see and how you will measure the success of your programme. The time has come to prepare a timeline for your awareness programme. In the year ahead, what do you want to do and what achievements do you want to reach?
Timeline: the timeline describes which part happens at what time, and who is responsible for it. Ask a line manager to approve the timeline, then share it with all stakeholders. Tip: behaviour can be difficult to manage. To achieve behavioural change, you must offer something to confirm or reward the target behaviour at least every three months.
Engage colleagues: In the first phase, you identified who you wanted to involve in the awareness programme. For example, because you needed them to ensure grassroots support or because a certain colleague possessed key expertise. Whatever you do, be sure to involve the communication department. They can help you, for example, not just to develop the right communication tools, but also to ensure the tools are compliant with the corporate identity of your institution and to help disseminate them.
Lay the groundwork: you will need to make the necessary preparations before you can deploy the resources. For example, you have decided to run up a simulated phishing campaign within the institution. But you will, of course, need time to prepare in advance. You will need to craft a suitable phishing email; this in turn will mean giving thought to who you want to reach, when, and what will happen when someone clicks on the email. The preparations you will need to make will depend on the communication method used.
Getting started: you’ve completed all the steps. This means that your awareness programme is now ready for launch! Don’t forget to mark the starting point in an appropriate manner: invite a senior management functionary to announce the programme. For example, in the form of an email, blog or video.
An awareness programme is never finished. Perform your evaluation in good time so that you have some input for next year to determine your goals and work towards the new desired situation. Fortunately, you will discover that the second plan is completed much faster than the first one. We wish you every success, great results and lots of awareness within your institution.
- Blog #1: The utility and necessity of awareness
- Blog #2: Why an awareness programme?
- Blog #3: Who are your target groups?
- Blog #4: What is the overall aim and desired behaviour?
- Blog #5: Which factors affect behaviour?
- Blog #6: What actions and interventions should you use to encourage the desired behaviour?
- Blog #7: Is your programme having the desired effect?
About the authorsThis series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022