Effective cyber-security awareness raising should form part of a broad national strategy. In its report on cybersecurity awareness, ENISA reviewed the strategies of 11 EU Member States and identified that increased dependence on Information and Communication Technology (ICT) generates the need to become more aware of cyber-security and cyber-threats in order to be better equipped to respond.
However, improving cyber-security awareness is not a problem for governments to solve alone. Effective awareness raising within organisations and institutions also contributes to a more robust defence framework for security incidents. This article outlines the scope and recommendations of the ENISA Raising Awareness of Cybersecurity report on national cybersecurity public awareness. It analyses key findings from the report on how educational and training pathways can be improved to deepen the knowledge and skills of professionals, organisations and agencies. It focuses on approaches that organisations can avail of in educating their employees, clients and partners to build resilience against cyber threats.
Methodology and main findings
For the purposes of the study, ENISA analysed the National Cyber Security Strategies (NCSS) of 11 European Member States, considering the work conducted by each state with respect to cybersecurity awareness raising. The study included analyses of the vision of the various national strategies, interviews with national institutions to measure the frequency with which citizens are provided cybersecurity awareness information, and measurements of citizens’ cybersecurity behaviour (e.g., gathering statistics from public questionnaires or surveys, knowledge tests). The report reviews existing cybersecurity awareness raising campaigns and other initiatives to identify good practices in each of the Member States and outlines recommendations for national awareness raising activities.
The principal theme in the drive to raise cybersecurity awareness includes devoting resources to educating the wider public around cyber security. Based on the behaviour measurements of citizens’ cybersecurity behaviour, stakeholders are encouraged to adapt their raising awareness campaigns to target a greater range of the general public. Apart from educating the wider public, the report also draws attention to the digital transformation of the educational system as a whole (including young people and professional education) in order to cultivate cyber security awareness from an early stage. This includes, among others, enhancing infrastructure, providing digital equipment, building digital competence of educational staff, providing computing education and ensuring that students gain a high level of understanding of artificial intelligence. This focus on including cyber security awareness issues in education also aligns with other ENISA’s initiatives in the cyber security domain, more specifically with the European Cybersecurity Skills Framework and the CYBERHEAD – Cybersecurity Higher Education Database.
Despite this focus on national initiatives, the report also includes recommendations that would enable individual government agencies as well as other organisations and institutions to align with these initiatives by enabling staff to increase their cyber-security skills and competencies.
The ENISA recommendations
Based on the data collected and analysed, ENISA outlines a number of recommendations that can be used by other agencies and entities to increase cyber-security awareness. These include building capacities for cybersecurity awareness through regular communications and campaigns, regular assessments of cybersecurity trends and challenges and measuring cybersecurity behaviour.
In the area of building capacities for cybersecurity awareness, ENISA recommends that both public and private actors engage in awareness raising activities to develop more effective campaigns, including enhancing cooperation between public administration and the private sector. On an organisational level, periodical cybersecurity campaigns and workshops might be a solution to improving awareness around cyber-threats, including for example, malware, ransomware, phishing, social engineering) This can include monthly cybersecurity awareness raising campaigns to cultivate a cybersecurity culture, which can complement more formal educational initiatives. Regular messaging can aid staff, partners and users in recognising and avoiding risks in the digital space as well as provide guidance in relation to developing and improving their skills in cybersecurity.
In the area of conducting regular assessments of cyber security trends and challenges, ENISA recommends disseminating cybersecurity news and trends in laymen’s terms to engage a wider audience. Avoiding overly technical language and encouraging staff, partners and service users to understand how cyber-security issues are relevant can be a good starting point to encourage continuous learning and investments in awareness.
In the area of measuring the cybersecurity behaviour of citizens, ENISA recommends the wider use of tools such as the Eurobarometer, to collect valuable and useful data about citizens’ behavioural patterns. This includes patterns on online interactions as well as analyse aggregated data collected from law enforcement agencies. On an organisational level, data protection and information security professionals can conduct similar assessments of employee activities to understand where to target training or infrastructure investments for the greatest return on investment.
The report provides value not only for national institutions and those who want to understand National Cyber Security Strategies (NCSS), but also provides valuable input for both public and private actors wanting to develop their skills in preventing cyber risks, enhance their responsiveness to cyber security incidents and build their cybersecurity resilience. Using this information, organisations can align their own strategies and approaches with the best practices and standards recommended by ENISA, and educate their employees, clients and service users to build resilience against cyber threats.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as supporting experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.