Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-10-3 – The cybersecurity awareness program must cover the latest cyber threats and how to protect against them, and must include at least the following subjects:
This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and requires a structured, up-to-date awareness program that maps to specific objectives.
Understanding the Requirement
The control demands an organized cybersecurity awareness program that educates staff about current threats and protective actions, and that explicitly addresses the listed objective items: 1-10-3-1, 1-10-3-2, 1-10-3-3, plus secure use of social media. For an SMB this means producing role-appropriate content (general staff, privileged users, customer-facing teams), keeping materials current with evolving threats (phishing, ransomware, credential stuffing, supply-chain risks), and including practical behaviors such as safe social media posting, identifying suspicious messages, and following incident reporting procedures.
Technical Implementation
-
Map curriculum to objectives and roles: create a one-page curriculum that links each learning module to an objective (1-10-3-1 through 1-10-3-3 and social media). Assign owners for each module (IT manager for phishing/malware, HR for policies, marketing for social media guidance).
-
Use a mixed delivery schedule: deploy short monthly microlearning (5–15 minute modules) for general topics and quarterly mandatory longer sessions for high-risk roles. Keep a calendar with reminders and require completion by a set date; automate tracking in an LMS or a shared spreadsheet if no LMS is available.
-
Run realistic phishing simulations and measurable tests: schedule simulated phishing campaigns quarterly, follow each simulation with targeted remediation training for clickers, and track metrics (click rate, report rate, repeat offenders). Use results to prioritize further technical controls (MFA, tighter email filtering).
-
Implement social media guidance and controls: produce concise do’s and don’ts tailored to staff who post on behalf of the company (examples of allowed content, handling DMs, avoiding credential sharing). Require managers to approve company accounts, and enable multi-person access via password managers and shared accounts instead of personal credentials.
-
Maintain an update-and-intel cycle: assign a team member to review threat intelligence (vendor alerts, CERT advisories) monthly, refresh learning materials to reflect top threats (e.g., new ransomware variants, business email compromise tactics), and publish a one-page “What’s new” bulletin to all staff.
-
Measure outcomes and integrate with incident processes: define KPIs (training completion %, phishing click %, reports per month) and tie awareness outcomes to incident response (e.g., employees who report suspected phishing get immediate guidance and credit). Use these metrics in quarterly management reviews.
Example in a Small or Medium Business
A 35-person digital marketing agency implements Control 1-10-3 by naming the IT lead responsible for awareness and a Marketing lead to own social media guidance. They build a curriculum that maps 1-10-3-1 through 1-10-3-3 to short modules: phishing recognition, safe browsing and device hygiene, and secure handling of client data, plus a dedicated module on secure social media use for account-holders and content creators. Employees receive a 10-minute microlearning each month and must complete a 45-minute refresher every six months. The agency runs simulated phishing every quarter and requires anyone who falls for a test to complete an immediate remedial module. Social media account access is moved to a shared, managed credentials system; all posts by client-facing staff follow an approval checklist included in training. The IT lead reviews threat advisories monthly and updates the microlearning when a new phishing campaign or malware family is reported. Management tracks completion rates and phishing click-throughs, reports these KPIs at the monthly leadership meeting, and ties training completion to performance reviews for client-facing staff.
Summary
By defining role-mapped curriculum, delivering frequent short training plus periodic in-depth sessions, running measurable phishing simulations, and creating practical social media rules, an SMB can meet Control 1-10-3. Assigning owners, automating tracking, and maintaining a monthly update cycle ensures content stays aligned with the latest threats. Together, these policy and technical measures produce observable behaviors, measurable outcomes, and a faster, more effective response when threats appear.
