Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Cybersecurity Awareness as an Essential Part of Information Security
Kathrin_Noack
Kathrin Noack
|
14.04.2025
(updated on: 14.04.2025)

In today’s cybersecurity threat landscape, it is no longer sufficient to rely on technical measures alone to ensure a company’s information security. From an organizational point of view, clear responsibilities and processes, as well as continuous testing of all these activities, are also required. Yet for cybersecurity, people are often the most vulnerable to attacks and this is precisely where cybersecurity awareness comes in: to train employees to recognize cyberattacks at an early stage and therefore to minimize the risks they pose to the company. This article explains why cybersecurity awareness is a central component of any Information Security Management System (ISMS), how organizations can benefit from appropriate awareness measures, and how important the engagement of top management is in this regard.

Table of contents

Why Cybersecurity Awareness is Crucial

There are numerous reports of companies that have fallen victim to ransomware attacks originating from a successful phishing email. Those companies have suffered heavy losses as a result, both from the potential extortion payments and, more importantly, from the lost working hours and the effort required to make their IT systems and data available again (compare: Europol (2025), European Union Serious and Organised Crime Threat Assessment – The changing DNA of serious and organised crime, Publications Office of the European Union, Luxembourg).

You would think that those stories would be a sufficient deterrent for top management to take the issue of cybersecurity awareness seriously. But awareness-raising measures are costly, expensive in terms of money and, above all, working hours and their effect can only be measured indirectly.

The Challenge of Cybersecurity Awareness for Companies

Cybersecurity awareness should be part of every functioning Information Security Management System (ISMS). Even in the international standard for information security, ISO/IEC 27001 (2022), the topic of awareness is specifically mentioned (section 7.3). It states, essentially, that employees should know and understand the information security policy of the organization for which they work.

Integrating cybersecurity awareness into a company’s ISMS takes time and continuous communication. Convincing top management, however, is a challenge because awareness measures are often considered difficult to evaluate and they require resources. At the end of the day though, top management is responsible for promoting information security and therefore cybersecurity awareness and speaking the resources.

Employees play the central role in awareness. They need to be trained according to their level of IT knowledge and job requirements, so they can recognize security risks and react appropriately. Their performance, with their actions or omissions, directly affects the company’s level of cybersecurity resilience.

The crucial factor is not only the knowledge acquired by employees, but also their motivation to apply this knowledge consistently in their day-to-day work. It is therefore management’s job to support employees in line with their IT skills and job-related activities to develop the necessary cybersecurity awareness in the first place. The objective is to enable employees to actively strengthen their company’s cybersecurity by acquiring the necessary know-how to do just that.

The Employee as First Line of Defense

In the digital world, a single employee can inadvertently and under the right circumstances have a disturbingly direct influence on an entire company. The time period between a successful phishing attack and the installation of malware is often alarmingly short. If attackers remain undetected, they use the time gained for lateral movements within the IT systems – often with the aim of gaining privileged access or compromising critical systems. This often results in ransomware paralyzing the entire company – with potentially devastating consequences for operations and reputation.

However, the demands on a company’s top management are many and varied. Cybersecurity is often not the first, second or tenth priority on a CEO’s to-do list. So how can cybersecurity awareness be communicated to management as an important part of their corporate security? And what could company-wide awareness measures look like to be accepted and positively received by all, from employees, to line management and finally at top management level?

A Success Story: The SBB Cybersecurity Champions Program

At the Swiss Security Awareness Day of SWITCH, on October 24, 2024, a wide range of issues related to cybersecurity awareness were discussed, from the perspective of companies, government agencies as well as academia. The importance of having the top management level on board was evident in almost all presentations and workshops.

There is no secret formula for coaxing resources out of top management. Nevertheless, there are many industries that have understood how essential cybersecurity is for their continuous survival. A good example of this is SBB (Swiss Federal Railways SBB), which as a critical infrastructure, is also subject to particularly high security requirements.

Within SBB, cybersecurity has been officially classified as a top threat by the CEO. And accordingly, a long-term internally built cybersecurity awareness structure with its own team has been set up. In the initiation phase, numerous discussions were held with different management levels. Additionally, many employees were asked for feedback in the process. The objective of this extensive starting phase was to determine how awareness can best be anchored within SBB and, above all, tailored to the very different levels of IT knowledge among employees, as the SBB representative explained at the Swiss Security Awareness Day. He emphasized that communication with management was and is key so that cybersecurity efforts can bear fruit in the long term.

One of the most successful awareness measures was the creation of a network of security champions within SBB. Establishing such a network is a lengthy process that requires a lot of time, resources and long-term commitment. SBB has achieved this by continuously investing in community management and allowing for benefits such as extra training, which security champions can receive in recognition of their work. Most importantly, the top management of SBB ensured that security champions receive sufficient working hours for their tasks.

This effort is worthwhile in the long term, as it empowers the employees in their everyday tasks. The commitment of their own peers as security champions motivates the teams and engages them in their day-to-day work. In addition, the champions can actively suggest improvements to better integrate cybersecurity into their work processes and report potential vulnerabilities or cyberattacks.

Considering the workload of a cybersecurity champion, the benchmark that was mentioned several times in the conference amounted to approximately 2% of the working hours of the respective employee, who acts as a multiplier in their team. To allow these resources, support from management is crucial. The indorsement has to come from the top level primarily. Yet middle management must also support the security champions within their teams so that they can adequately fulfil their role.

How Awareness Measures Can Be Successfully Implemented

How to Ensure Management Support

Cybersecurity awareness requires strategic planning, especially to convince top management of the need to invest in training and awareness-raising measures.

They need to understand the costs and benefits of cybersecurity awareness for their organization. The risks of a successful ransomware attack triggered by a successful phishing email can be a helpful example of what is at stake. Especially if the example is chosen precisely for the type of company for which an investment in awareness measures is under consideration. In my opinion, this deterrent method can be successful for budget approval but I would personally emphasize that awareness is an essential part of a sustainable security strategy as well.

Do Awareness Measures Work? – The Catch With Phishing Simulations

Another opportunity to demonstrate the advantages of awareness is to present evidence that awareness measures actually work. The wide field of phishing simulations can offer evaluating data on the potential success of a phishing mail. However, there are serious pitfalls to phishing simulations, as found by scientists (see, for example: Volkamer, M., Sasse, M. & Boehm, F. Phishing-Kampagnen zur Steigerung der Mitarbeiter-Awareness. Datenschutz und Datensicherheit (DuD) 44, 518–521 (2020)). One common conclusion of these surveys entails, that if a company decides to use phishing simulations, they must be integrated into a series of coordinated awareness measures to have a chance to be well-received by employees.

Consequently, phishing simulations should be used judiciously. If they are used in isolation or as a pure control instrument, they can foster mistrust of one’s own management. Successful programs combine them with supportive measures that empower employees to recognize threats rather than punish them.

E-Learnings and Gamification

Awareness-raising measures that work in tandem with phishing simulations or on their own, include e-learning and games. These have the advantage that, in addition to evaluating participation and click-rates, interaction and behavior are also trained to allow employees to react correctly to phishing e-mails. In addition, general awareness measures such as messages on displays, posters, lockscreens etc. help to recall what has been learned. All these measures combined may be costly but they significantly increase visibility and thus the learning effect.

There are various providers of cybersecurity awareness platforms that offer phishing simulations in combination with learning tools and additional gaming content. Yet even when using these platforms, it is important that a knowledgeable employee within the company adapts the content and methods of the selected awareness platform to the respective target groups and their needs. Only then will employees have a chance of meaningfully integrating what they have learned into their day-to-day work. This, in turn, will enable them to recognize possible cyberattacks and then report them.

Together, these measures can support a culture of tolerance towards errors, that makes it easier for employees to turn to their IT-security team. If such activities are already established, reports on suspected phishing mails, for example, are an indicator of how many employees are actively involved in their company’s cybersecurity. This indicator is even better reproducible than the rate at which people click on a simulated phishing mail, since the latter is highly dependent on how realistically the fake phishing email presents itself and whether it is easy or difficult to recognize.

Conclusion

The implementation of awareness measures requires well-planned strategies to convince top management of their benefits and to establish a sustainable security culture. An important start is often a clear and, as far as possible, a realistic presentation of the risks posed by cyberattacks resulting from the human factor, tailored to the organization or company, including the costs of possible countermeasures. The costs and benefits of awareness-raising measures need also be exemplified to create to whole picture. At the same time, processes should be identified for evaluating how employee awareness of cyberattacks improve over time.

Line management needs to know that they have the necessary resources in terms of time, money and appropriate training tools at their disposal for their teams. With the support of top management, an IT security awareness team can help greatly to facilitate the process and adapt the necessary tools to the IT knowledge of employees. They can tailor e-learning courses to the working environment and offer appropriate advice. This will provide long-term support for individual departments, their managers and their employees. Ultimately, it is the employees who are a company’s most important resource when it comes to cybersecurity: They are among the first who are affected by attacks and can report them. They are usually the first to be able to report cyberattacks that target them individually but have the potential to bring the entire organization to a standstill.

Categories

All Categories
Active Directory / Entra ID
Attack Simulation / Red Teaming
Cybersecurity
Cybersecurity Awareness
Digital Forensics
Incident Response
IoT/OT-Security
News & Advisories
Penetration Testing

Vulnerability Management

This might also be of interest to you:

Do you need advice on cybersecurity awareness?
Contact us
Kathrin_Noack

Autor

Kathrin Noack works as Cyber Response & Security Consultant at Oneconsult AG. Prior to that, she was part of the CISO-Office of ETH Zurich in her role as information security and awareness project manager.

LinkedIn

Never want to miss anything again?

Subscribe to our news feed on LinkedIn and register to receive our newsletter.

Sign up for our Newsletter
Privacy Statement

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts