Considering that 82% of security breaches in an organization are the result of human error (Verizon, 2023), and that 1 in 5 email attacks is successful (Tessian, 2022), it’s safe to say that cybercriminals have no shortage of tricks to dupe your employees into clicking on a fraudulent link. It is therefore essential to create a culture of cybersecurity prevention today. 

In response to this constant threat, last year the MS solutions team introduced you to its continuous phishing simulation platform, Vigilance. To help you get the most out of the platform, we’re publishing an article today dedicated to maximizing its use. 

You’ll discover why most awareness campaigns fail, Vigilance’s strengths, and tips for building a culture of cybersecurity prevention, from communication to performance measurement. 

Why do most awareness campaigns fail? 

Cybersecurity awareness is a cornerstone of online threat prevention. However, despite efforts to inform employees about cybersecurity best practices, many awareness campaigns fail to achieve the desired results. Let’s delve into the most common reasons why these campaigns fail to achieve their objective. 

1. Don’t just tell employees what they shouldn’t do, without emphasizing positive safety knowledge or behaviors. Too often, awareness campaigns focus on what not to do, rather than on the positive safety actions employees should adopt. Instead of simply listing the mistakes to avoid, it’s essential to provide concrete advice on the steps you can take to strengthen your organization’s security posture. Vigilance incorporates this philosophy by highlighting the behaviors and knowledge that foster a culture of prevention. 
2. Focusing too much on phishing. While phishing is undeniably a major cyber-attack tactic, it’s only part of the equation. Awareness campaigns should not be limited to this aspect alone, but rather address a wide range of potential threats, from malware to social engineering attacks. Vigilance offers a holistic approach to awareness, covering a variety of cyber threat scenarios.
3. Use content that is neither contextual nor specific to the organization. Generic, non-organizational content can seem impersonal and irrelevant to employees. Successful awareness campaigns take into account the organization’s specific culture, processes and challenges. Vigilance offers customizable content that can be tailored to each company’s unique needs.
4. Measuring the success of a program based primarily on execution rather than effectiveness. Simply taking part in training or passing a phishing simulation does not guarantee that employees have acquired the skills needed to detect and prevent threats. Awareness campaigns need to be evaluated on their actual effectiveness in reducing incidents and reinforcing a culture of prevention. 
5. Reprimand people who fail a phishing simulation. A punitive approach to employees who fail phishing simulations can create an atmosphere of fear rather than constructive awareness. The truth is that anyone can be fooled by a well-designed simulation. It’s better to use these failures as learning opportunities to reinforce detection skills. 
6. Benefit from good tools, but neglect their support. Even the best awareness-raising platforms can’t deliver optimal results without proper support. Managers and supervisors must play an active role in providing guidance, answering questions and encouraging employee participation.

Vigilance: highlights 

Now that we’ve explored the common challenges in cybersecurity awareness campaigns and the importance of creating a culture of prevention, it’s time to dive into the strengths that make Vigilance an exceptional platform, from both an employee and manager perspective.  

From the employee’s point of view:  

• Over 120 bilingual, soon to be trilingual courses: Vigilance offers employees access to a comprehensive library of over 120 cybersecurity awareness courses. These courses cover a wide range of topics, from the latest threats to best practices for protecting oneself online. This gives employees the opportunity to reinforce their knowledge and skills to become active players in defending the organization’s security. 
  
• Dashboard with individual risk rating: each employee can access a personal dashboard displaying his or her individual risk rating. This rating reflects the employee’s sensitivity to safety risks, and helps them understand where improvements are needed. This enables employees to track their progress and identify specific areas where they can strengthen their safety posture.
• Continuous phishing simulations: your employees will be regularly put through their paces to test their knowledge of how to identify phishing e-mails. You’ll know whether they ignored the simulations, clicked on an attachment or link in these e-mails, and whether they reported them. In the event of failure due to clicking on a simulated e-mail, they will be notified by e-mail and will be required to complete refresher training.  

From the manager’s point of view: 

• Dashboard to track your teams’ progress: managers have access to a comprehensive dashboard that enables them to monitor their teams’ progress and performance in terms of cybersecurity awareness. This facilitates the proactive management of skills and knowledge within the organization. 
• Phishing simulation e-mails: Vigilance offers the possibility of sending phishing simulation e-mails to your employees to assess their ability to detect attacks. This feature helps managers identify weak points and target areas requiring special attention. 
• Over 250 phishing e-mail templates: for a more realistic approach to training, Vigilance provides a library of over 250 customizable phishing e-mail templates. These templates offer concrete examples of attack tactics, helping employees to better understand cybercriminals’ strategies. 
• Evolving templates to stay current and legitimate-looking: the phishing email templates included in Vigilance are constantly updated to reflect the latest attack tactics. This enables employees to stay prepared for emerging threats and new methods of cybercrime. 
• A wealth of monitoring reports: Vigilance provides a variety of detailed monitoring reports to assess the effectiveness of cybersecurity awareness within your organization. These reports provide valuable information for identifying trends, areas for improvement and successes.

In short, Vigilance is much more than just a cybersecurity awareness platform. It’s a powerful tool that transforms the way employees and managers approach online security.  

Cybersecurity prevention culture: communicate & measure

Maintaining a robust culture of cybersecurity prevention within your organization is a task that requires ongoing commitment and a strategic approach. In this section, we’ll explore the steps involved in establishing such a culture through effective communication, how to measure its performance and how to effectively present the results achieved. 

Communicate 

Before: to bring people together and get things off to a good start  

• Communicate on the arrival of the platform   
•  Make training mandatory, involving managers and the HR team.   
•  Hold a meeting with your teams to present the platform, its interface, training courses, etc.  
•  Organize time slots dedicated to continuous training    
•  Communicate the performance objective    
•  Plan a contest for the best risk rating 

During: to animate and maintain interest on an ongoing basis 

• Share best risk ratings regularly: regularly track risk ratings and share employee progress and successes. This motivates them to maintain their good safety practices.  
• Schedule individual follow-ups to take stock: schedule one-on-one interviews with employees to discuss their risk ratings, their progress and areas where they can still improve. 

After: to enhance, evaluate and improve over the long term 

• Continue to value individual and collective progress and efforts: highlight employees’ progress and efforts in cybersecurity. This strengthens their commitment and creates a culture of continuous learning. 
• Present the number of phishing simulations avoided: show the number of potential attacks avoided thanks to employee vigilance. This illustrates in concrete terms their positive impact on the organization’s security. 

Measure

Analyze the results using the reports available. Here are the 5 most popular on the platform: 

1. Survey results report  
2. Phishing simulation report  
3. Security dissonance report  
4. Awareness and training report  
5. Course summary report 

In short, building a culture of cybersecurity prevention requires constant communication, solid performance indicators and effective presentation of results. By following these tips, you can not only strengthen your organization’s online security, but also demonstrate its value and effectiveness at every level. 

In short

In conclusion, creating and maintaining a culture of cybersecurity prevention requires a strategic and proactive approach. Vigilance offers a comprehensive solution to the persistent challenges of awareness campaigns, focusing on positive practices and providing powerful tools for employees and managers. Through transparent communication, evaluation based on real indicators and careful presentation of results, your organization can not only strengthen its online security, but also demonstrate its resilience and commitment to protecting valuable data and assets. Adopting Vigilance marks a step towards a strong and sustainable cybersecurity culture. 

💡 Go further with Vigilance + for a more versatile and agile tool. You’ll benefit from an additional bank of training courses on cybersecurity and Microsoft 365 tools, plus the ability to add your own content.

This article presents content discussed during a previous webinar. To watch a replay of that webinar (french only), click here. Subscribe to our newsletter to receive invitations to future webinars.