Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-10-1 – A Cybersecurity Awareness Program Must Be Developed And Approved. The Program Must Be Conducted Periodically Through Multiple Channels To Strengthen The Awareness About Cybersecurity, Cyber Threats And Risks, And To Build A Positive Cybersecurity Awareness Culture.
Understanding the Requirement
This control requires an approved, organization-wide cybersecurity awareness program that is run periodically using multiple communications channels to increase knowledge of cybersecurity threats and risks and to cultivate a positive security culture. Practical expectations include executive sponsorship, coordination with HR and internal communications, and a mix of channels and activities (email, workshops, publications, billboards, and a training platform) that together reinforce key behaviors and measurable awareness outcomes.
Technical Implementation
- Create a written awareness plan and get executive approval. Draft a one-page program charter that defines scope, objectives, target audiences (employees, contractors), cadence (monthly/quarterly), channels, and success metrics (training completion, phishing click rate). Present it to Executive Management and obtain documented approval from the designated representative.
- Integrate with HR and onboarding. Make baseline cybersecurity awareness mandatory in new-hire onboarding (first 30 days) and require annual refresher training. Have HR enforce completion by linking training completion to personnel records and performance check-ins.
- Use a mix of channels and a simple calendar. Schedule recurring activities: weekly awareness emails, quarterly 60–90 minute workshops or lunch-and-learns, monthly internal-communications posts, visible posters/billboards in common areas, and an LMS or training platform for on-demand modules. Keep messages short, consistent, and role-specific.
- Run short practical exercises and assessments. Add quarterly phishing simulations, short quizzes after modules, and micro-learning (2–5 minute) videos. Track metrics like click rates, remediation times, and quiz pass rates to identify high-risk groups and topics needing reinforcement.
- Assign roles and simple processes. Form a small governance team (cybersecurity lead, HR rep, internal communications owner). Define responsibilities: content creation, scheduling, delivery, measurement, and executive reporting. Use a shared calendar and a lightweight ticket/issue tracker for improvement requests.
- Measure, report, and improve. Collect completion rates, phishing simulation results, help-desk trends, and a periodic culture survey. Report these KPIs to Executive Management quarterly and adjust content, frequency, or delivery channels based on results and employee feedback.
Example in a Small or Medium Business
BrightWave Creative, a 65-employee marketing agency, appointed the IT manager as the cybersecurity awareness lead and requested an executive sponsor from the COO. They created a one-page program charter that listed monthly awareness emails, a quarterly half-day workshop, onboarding training via an LMS, and visible posters in shared spaces. HR added the mandatory "Security Essentials" module to the new-hire checklist with completion tracked in the HR system. BrightWave started small: a 5-minute video for the first month, a phishing test the second month, and a survey to measure employee confidence the third month. Internal Communications wrote short, engaging email templates and published two success stories where good behavior prevented incidents. The team reviewed completion rates and phishing results every quarter; when a department showed a higher click rate, they ran an extra workshop tailored to that team's risks. Executive Management received a short quarterly dashboard summarizing completion, simulated-phish click rates, and suggested next steps—ensuring ongoing funding and visible leadership support.
Summary
By documenting and approving a concise awareness program, coordinating delivery with HR and internal communications, using a mix of channels (emails, workshops, posters, LMS), and measuring outcomes (training completion, phishing metrics, surveys), SMBs can meet ECC 1-10-1. The combination of executive sponsorship, role-based delivery, periodic exercises, and continuous measurement turns policy into repeatable, actionable practice and builds a measurable, positive cybersecurity culture.
