Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-10-2 – The Cybersecurity Awareness Program Must Be Implemented.
Understanding the Requirement
This control requires an organization to deploy a formal, approved cybersecurity awareness and training program and to operate it in coordination with the team or department responsible for awareness and training. The program should include routine awareness activities (for example, email campaigns and workshops) and an assessment process to evaluate staff cybersecurity knowledge so weaknesses can be identified and addressed. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is focused on turning policy into repeatable awareness and training practices that reduce human-related risk.
Technical Implementation
- Appoint a program owner and governance: Designate a responsible person (or vendor lead) and document roles, scope, budget, and approval for the awareness program. Ensure the program is formally approved by senior leadership and tied to measurable objectives (e.g., reduce phishing click rate by X% in 12 months).
- Develop a baseline curriculum and schedule: Create core modules covering phishing, password hygiene, data handling, remote work security, and device protection. Deliver a mix of monthly micro-lessons (short emails or videos) and quarterly longer workshops or webinars. Integrate mandatory onboarding training for new hires and annual refresher courses for all staff.
- Run realistic phishing simulations and assessments: Use controlled phishing campaigns to measure real-world susceptibility. Track click and credential submission rates, time-to-report, and repeat offenders. Use assessment results to assign targeted remediation training to individuals or teams who show weaknesses.
- Use role-based and function-specific content: Provide advanced training for high-risk roles (finance, HR, system admins) and simplified reminders for low-risk staff. Include hands-on exercises for IT staff (patching, secure configuration), and policy-focused sessions for executive and non-technical staff.
- Measure effectiveness and iterate: Define metrics (phishing click rate, time-to-report, training completion rate, post-training knowledge quiz scores) and report monthly to leadership. Use those metrics to refine content, frequency, and delivery methods. Retain records of completion and assessment outcomes to demonstrate compliance.
- Operationalize reporting and continuous improvement: Create a remediation workflow for employees who fail assessments—assign mandatory retraining, require supervisor acknowledgement, and follow up with new simulations. Schedule an annual program review with stakeholders to update topics and validate alignment with changing threats and business processes.
Example in a Small or Medium Business
BrightWave Accounting, a 45-person firm, created a simple, budget-conscious cybersecurity awareness program led by the operations manager and a part-time external trainer. After leadership approval, they produced a one-page training plan that included monthly awareness emails, a 45-minute quarterly workshop, onboarding training for new hires, and semi-annual phishing simulations. The firm used a low-cost learning platform to deliver short modules and track completion; employees who failed the phishing test were automatically assigned a targeted 20-minute refresher module and their managers were notified. Finance and payroll staff received extra training on invoice fraud and secure file transfer procedures. Results were measured with a dashboard showing training completion, phishing click rates, and time-to-report; within six months the phishing click rate dropped by 60% and reporting of suspicious emails increased. BrightWave reviews the program annually, updates content when new threats appear, and documents outcomes to show auditors and the board that the awareness program is active and effective.
Summary
Implementing Control 1-10-2 means formalizing a cybersecurity awareness program: designate ownership, deliver regular and role-specific training, evaluate staff knowledge through assessments and simulations, and close gaps with targeted remediation. Combining clear policy, measurable training activities, and continuous improvement creates both demonstrable compliance and a sustained reduction in human-driven security risk for SMBs.
