cybersécurité, cybersecurity, cyber résilience, cyber resilience, cyberattaque, cyberattack, phishing, malware, reputation, risque, risk

Categories:

Between fatigue, work overload and the constant evolution of cyberattacks, it’s not always easy to keep your teams motivated to adopt cybersecurity barriers and self-discipline in terms of vigilance. In short, create a cyber culture within your company.

Here are a few practical ideas to inspire you.

Raising cyber awareness among your employees is essential – why?

You know it by heart: cyber attacks are no longer a question of ‘if’ but of ‘when’, and all businesses are affected by threats of phishing, malware and ransomware, regardless of sector or size.

And obviously, the financial losses are substantial over several years because of the impact on the company’s reputation generated by a breakdown in the trust of its various contacts, both internal and external.

You also know that these cyber-attacks are the result of a bad habit, a lack of attention or negligence that the hackers exploit. In another, rarer case, a cyber-attack can occur as a result of an intentional act to harm the company, due to unfair dismissal, an unjust penalty, or a nauseating rumour of which an employee has been the victim.

The issue of cybersecurity is therefore not just about technological solutions, but also about management. You can have a high-performance cyber infrastructure, but if your management is not ethical and efficient, it will have less impact.

The aim is to put in place creative and powerful internal communications to turn your employees into the first line of defence. Several strategies are possible.

Summary of the article:

Obstacles to raising awareness
Creating a Cyber culture
The benefits of a Cyber culture
Download the guide

Barriers to cybersecurity awareness and how to overcome them

It is crucial to identify and analyse the barriers to awareness, so that solutions can be found. We have identified five main obstacles.

Barrier 1 – Work overload

If your employees are overwhelmed by their workload, and not able to lift their heads from the handlebars, it’s clear that their vigilance with regard to cybersecurity will not be optimal. The brain is made in such a way that it works by motorways to focus its energy on the most delicate tasks. The door is wide open to errors and omissions.

The solution would be to hire extra staff, temporarily in the case of seasonal activity, or permanently in the case of continuous overload. And then you’re faced with the question of profitability. It’s up to you to calculate the cost of an additional resource versus the cost of a cyber attack. This is what we call risk management. This question is all the more vital if the role in question handles your company’s sensitive data.

🙄By the way,

Are you sure to be fully aware of your company’s sensitive data?

Do you know how to prioritise it?

🤨 Any doubts? We have the resources.

Barrier 2 – Lack of interest

Generally, a lack of interest is the result of a lack of understanding of the value of what is being offered. In other words, employees don’t see the direct impact of cyber barriers on their work. Worse still, they see it as a detriment to their performance, even wondering whether cyber measures might not be another way of penalising them to justify dismissal. The level of mistrust or circumspection is intimately linked to the corporate culture you have distilled.

Whatever it is, transparency is the key here. The aim is to prove that it is in everyone’s interest not only to adopt cyber-barrier measures but also to discipline themselves to be vigilant. If a cyber-attack occurs, jeopardising the future of the company and therefore its jobs, it is clear that the interest will be there. Nor should you hesitate to repeat the message, in different forms and with supporting examples.

🧐Running out of time and ideas to create and distil your messages? Oz’n’gO can help.

Barrier 3 – Too much information kills information

If you come to your teams with a pile of documents to absorb or long hours of training, you can well imagine that you will be met with an entirely human reaction of rejection. Your employees will see it as a new workload. Which means a loss of performance. Don’t drown them.

Ideally, you should communicate clearly, simply, gradually and, above all, concretely. Draw up a training and instruction plan that is staggered over time and adapted to :

the roles (from the most critical to the least critical, specific training for particular professions – finance, marketing, HR, etc.)
the skills of your employees (some are more at ease with the cyber or technological approach than others)
the rate at which instructions and information are absorbed
the threats to the company.

Don’t forget to present your plan to your teams, so that they can see how they are progressing.

🆘 Need Help 🆘

define a map of roles at risk, a training plan…

Barrier 4 – Lack of management involvement

It may seem like a truism, but often the most basic things are forgotten or neglected. It is imperative that management leads by example, otherwise employees will not follow. Share your cyber experience with your employees. Take an interest in theirs. Share.

Barrier 5 – Cognitive bias

Cognitive and algorithmic biases can slow down the adoption of good cyber security practices. Some employees may fall victim to overconfidence (‘it won’t happen to me’), optimism bias (‘our current protections are sufficient’) or the anchoring effect (‘we’ve always done it this way’). These biases lead people to underestimate the risks and delay the adoption of safety measures. Similarly, cognitive overload can prevent employees from assimilating complex cybersecurity instructions.

The solution? Make your teams aware of these cognitive biases, and communicate using short, visual and progressive messages that facilitate understanding and commitment. And finally, adapt your messages according to the biases you have identified.

TOP

creating a cyber culture

One-off training is not enough. To ensure that your employees really learn the right reflexes, it is crucial to create an internal culture of cyber security. This cyber culture is not just the preserve of large organisations. All businesses, even SMEs and VSEs, can create their own, with resources within their reach.

Cyber security is not just a question of resources, but also of creativity.

Here are some practical suggestions that are easy to put in place. But first, a few basic principles:

Avoid the blame game, but reward results. Your teams already have enough pressure on their shoulders. Adding more pressure is counter-productive. It’s much more pleasant and stimulating to be rewarded for your achievements. What’s more, it creates a buzz, especially if there’s a reward at stake (gift cards, extra days’ holiday, a voucher for a restaurant, etc.).
Use regular communication, such as special meetings to create habits and build trust by keeping people informed about the progress of programmes and their results.
Management involvement from the top. Particular attention is paid to the messages conveyed by the CEO, whose actions demonstrate the importance of the programmes deployed.
Give priority to experience and fun. You learn more through experience, and even more by having fun.

Make cybersecurity
concrete, lively, simple

The annual simulation

Obviously, the first idea that comes to mind is simulations ( phishing, malware, website takeover, data theft, etc.) under real conditions. They are based on real scenarios. As a rule, companies should carry out at least one simulation a year, rather like fire drills. It’s not certain that an annual exercise will help you to adapt good reflexes. It simply highlights areas for improvement.

But beyond these simulations, which are always intense and fun to go through, there are a multitude of other small, regular actions to undertake.

Table-top exercises, cyber war game, red-team vs blue team, etc.

Our experts are ready to organise a personalised session

Small streams become great rivers of cyber resilience

Here are a few ideas to explore on a weekly or monthly basis.

End the week on a cyber-fun note

In some companies, the end of the week is celebrated with a convivial moment, within the company or in a neutral location, where you can taste wines, discover a social activity, sporting or otherwise (a game of pétanque, darts, etc.). In short, a ‘happy hour’, a moment of relaxation with informal conversations, ideal for open questions.

Managers can ask employees for feedback on their cyber experience, encouraging them to ask questions, make comments or suggest initiatives.

Another idea is to show them a short video that is funny but has a basis of truth about cyber security.

There are also comic books about cyber security, which employees could even show to their children. After all, cybersecurity doesn’t stop at the company gates.

🙏🏻 Need a list of comics? 🙏🏻

“The Thrilling Adventures of Lovelace and Babbage” (Sydney Padua) – A humorous comic strip about the alternative history of two computer pioneers. It takes a playful approach to concepts relating to programming and computer security.

“Hacktivist” (Alyssa Milano, Collin Kelly, Jackson Lanzing, illustré par Marcus To) – This comic follows hackers who use their skills to fight global injustice. It offers an insight into hacker culture and cybersecurity issues.

“Ctrl+Alt+Del” (Tim Buckley) – centred on video games, this webcomic sometimes tackles subjects related to IT security, particularly online vulnerabilities.

A MONTHLY MEETING, CYBER style

During your monthly presentation of the company (results, customers, etc.), why not include a ‘cybersecurity’ item in the agenda, where you can:

report on the monthly results of current cyber programmes or training courses vs. the objectives set
report on improvements made to the cyber security infrastructure and the impact on internal processes
praise champions or initiatives, with cyber rewards on offer
give examples of companies or employee testimonials.
and so on.

Good tools and simplified processes

Employees often adopt bad practices out of convenience or because they lack the right tools.

You know the saying, ‘you can tell a good craftsman by the quality of his tools’. Be a good craftsman for your employees by providing them with good, easy-to-use tools and by implementing simplified work processes.

Some of these tools will seem obvious to you, but there’s no point in repeating them here.

password managers

Hackers, who are aware of human biases and the (bad) habits of everyone, automate their password cracking system. Their programmes run on a 24-hour loop, constantly testing different combinations. An 8-character password, made up of numbers, letters and special characters, can be cracked in a few hours.

A password manager, a kind of online safe, is essential. There are plenty of them available. Some are free, others you have to pay for. Here is the list of the best in 2025.

MFA or Multi-Factor Authentication

When you know that a simple double authentication can prevent serious hacking attempts, it’s obvious to take a closer look at multi-factor authentication (MFA).

MFA is a security method that requires the use of several factors to verify a user’s identity. These factors are generally classified into three main categories:

Knowledge factors: What the user knows, such as a password or PIN.
Possession factors: What the user has, such as a smartphone, smart card or security token.
Inherent factors: What the user is, including biometric characteristics such as fingerprints, facial or voice recognition.

Reporting process

A ‘Report an incident’ button integrated into the messaging software.
A dedicated email address ‘incident@entreprise.com’or‘security@entreprise.com’ for example.
An automatic form to be filled in with the basic information to be provided + emergency measures (see below).
Collaborative platforms such as Teams and Slack for alerting incidents and providing follow-up information.
Internal cybersecurity hotline
Secure reporting portal (via ServiceNow, Jira, etc.)
Mobile reporting application (for companies with in-house applications)
WhatsApp group(s)
A reminder of the emergency measures in the form of a poster applied to each workstation or a reminder message at the start-up of each PC, indicating the basic elements to be notified when reporting and the first emergency measures to be applied if the PC is infected.

Basic elements to be notified when reporting:

Date and time of detection
Description of the incident (what was observed)
Perimeter affected (workstation, server, application)
Immediate action taken by the employee

First emergency measure if the PC has been infected: UNPLUG IT.

Free tools for analysing suspicious files:

VirusTotal → to check suspicious files
Have I Been Pwned → to check compromised email addresses

Behavioural toolkits

The use of AI – it is imperative that employees understand what AI is, its benefits and pitfalls. Good information and guidelines on its use (what is and isn’t allowed) are based on the framework set by management. You will avoid what are known as ghost tools, i.e. applications that your employees install or use without your knowledge.

good cyber practices for teleworking (also applicable to people who have to travel frequently) – securing devices, reminding people of cyber threats and countermeasures, organising the workspace, emergency measures, etc.

Change management – This may seem superfluous, but don’t forget that AI and the constant evolution of cybercrime mean that processes, habits and tools have to change regularly. It is advisable to make your employees aware of the need for change management.

Initiatives to involve employees, give a sense of responsibility

Employees need to understand that they play an active role in protecting the company. Below are a few ideas for sharing, valuing and playing.

INITIATIVE	OBJECTIIVES	DETAILS
Ambassadors Program	– Facilitate the sharing of information and best practice – Feed back the most recurrent and relevant requests and questions – Coordinate the distribution of internal messages	Example of an ambassador programme: – Select volunteer employees in each department. – Provide them with advanced training on cyber risks and best practices. – Give them responsibility for relaying information and acting as a point of contact for their colleagues. – Organise monthly meetings to share updates and feedback. – Reward the most committed ambassadors with benefits or public recognition.
Cybersecurity Championship or Hackatons	– Valuing the most cyber-savvy/resilient employees – Create a healthy emulsion – Involve employees in the cyber security strategy	What could be more fun than a championship with different events? A sort of internal Olympics with quizzes, challenges and games. Example of a hackathon: A cybersecurity hackathon can last a day and include several challenges such as detecting phishing emails, analysing flaws in fictitious systems, or creating automated scripts to improve security. The winning teams can receive rewards and have their solutions tested in-house.
Cyber- Onboarding	Incorporating cybersecurity into the first steps of new employees	Create a ‘cybersecurity’ section in the internal regulations and include cybersecurity awareness training as part of the induction process.

More about Oz’n’gO

More about Oz’n’gO services

benefits of a cyberculture

cybersecurity, cyberattack, crisis communication, crisis management, data theft, reputation

TOP

Download the guide to setup or improve your internal cyber-communication.