Views: 13
Summary – In response to the ongoing surge in cyberattacks and human error, any awareness program must be long-term with HR/IT oversight, clear policies, and data protection compliance. Modular training, microlearning, phishing simulations, role-based exercises, and semiannual drills fuel a continuous improvement loop. KPI tracking (click rates, MFA adoption, completion) ensures a sustainable, measurable cyber culture. Solution: executive governance, targeted paths, realistic exercises, and a dynamic dashboard.
In a context of ever-evolving cyber threats, the human factor remains the most vulnerable link. Implementing an awareness program is not a one-off operation but a long-term commitment driven by clear metrics and integrated into HR and IT practices. This investment in the continuous training of every employee becomes the best firewall against phishing campaigns, ransomware, and targeted attacks. Beyond technology, it’s governance, modular paths, realistic exercises, and measurement loops that guarantee a sustainable and effective cybersecurity culture.
Governance & Scope
An effective awareness program relies on strong sponsorship and clearly defined responsibilities. It establishes a clear policy covering workstations, email, passwords, Bring Your Own Device (BYOD), and remote work.
The first step is to engage senior management or the executive committee as the official sponsor. Without visible support from the highest levels, awareness initiatives risk lacking legitimacy and coherence. The steering committee, composed of IT/Security, HR, and Communications representatives, organizes governance and monitors the program’s evolution. To strengthen technical expertise, consult an IT solutions architect.
This formal framework requires drafting an accessible cybersecurity policy written in plain language, applicable to all devices (desktop and mobile), email access, and collaborative tools. It provides clear guidance on password changes, enabling multi-factor authentication (MFA), personal use of corporate devices, and best practices for remote work.
Compliance with the Swiss Federal Act on Data Protection (FADP) and its personal data protection requirements is integrated from the outset. FADP clauses apply at every stage of the program, from training data collection to metrics analysis. This approach ensures employees’ rights are respected while providing the traceability needed for future audits.
Sponsorship & Clear Roles
For an awareness program to be taken seriously, an executive sponsor must be appointed. This role is often assumed by the CEO or CIO, who validates major directions and facilitates resource allocation. The sponsor is also responsible for reporting results to the governing bodies and approving budget adjustments.
Operational management falls to a dedicated project manager, often reporting to the IT department or the security function. This manager coordinates IT teams for the technical deployment of modules, works with HR on training schedules, and collaborates with Communications for internal campaigns.
Cybersecurity liaisons are appointed in each department or business unit. Their mission is to relay messages, encourage participation, and gather feedback. They form a close-knit network that ensures full coverage across the organization.
The governance charter precisely defines these roles: sponsor, program lead, liaisons, and occasional contributors (legal, support, etc.). This structure guarantees clear responsibility distribution and agile implementation of awareness actions.
Simplified Security Policy
The cybersecurity policy should serve as a practical guide rather than a technical manual. Each rule is illustrated with a concrete example, such as: “Change your password every three months and never reuse a previous password.”
The document covers standard usage (email, file sharing), mobile practices (tablets, smartphones), and defines the BYOD scope. It outlines remote work security scenarios: VPN usage, Wi-Fi connections, and automatic data backups.
Publishing the policy on the intranet and including it in the employee handbook during onboarding increases its visibility. Periodic reminders via email or through an interactive intranet keep these rules top of mind.
This evolving policy is reviewed annually or after a significant incident. Feedback from liaisons and performance metrics guide revisions to ensure continuous adaptability.
FADP Compliance & BYOD Scope
Incorporating the requirements of the Swiss Federal Act on Data Protection (FADP) translates into formalizing personal data processing. Every training activity undergoes risk analysis and is recorded in a dedicated register.
The awareness path explicitly mentions employees’ rights: access, rectification, objection, and deletion of data. These rights are explained in the training guide and implemented via internal processes.
Under the BYOD framework, the policy defines access levels according to data classification. Personal devices must be encrypted and undergo basic integrity checks (minimal Mobile Device Management). Any violation triggers an alert and a compliance audit.
Review of FADP clauses is coordinated with the Data Protection Officer (DPO) or in-house legal counsel to ensure the awareness program continuously complies with Swiss law and, where applicable, the EU General Data Protection Regulation (GDPR) for European operations.
Modular Training Path
An effective program combines short, targeted modules tailored to job roles and maturity levels. Onboarding and quarterly refresher sessions ensure continuous learning.
Microlearning & Onboarding
New employees start their journey with a ten-minute module during onboarding. This microlearning covers fundamentals: recognizing a fraudulent email, password best practices, and basic encryption principles.
Using short videos and interactive quizzes, the module captures attention without impacting productivity. Each session generates an instant report on success rates, allowing HR to confirm onboarding completion.
An internal chatbot can then answer common questions in natural language, reinforcing the learning dynamic and reducing the IT support team’s workload.
Content is also available on demand to encourage self review. Employees can refresh their knowledge before a workshop or after a security alert.
Role-specific Practical Cases
Beyond general principles, each department works through concrete examples. The finance team simulates detecting a fake invoice, while procurement handles a case of a request to change banking details.
These role-specific workshops are conducted in small groups and use realistic scenarios based on internal feedback or past incidents. The objective is to embed reflexive behavior within each professional context.
Collaboration between managers and department heads ensures scenario relevance. They adapt practical cases to internal processes and the specific tools used by each team.
Post-workshop evaluations measure impact on participants’ understanding and confidence. Results guide the creation of new cases or the adjustment of existing modules.
Quarterly Refreshers
Regular follow-up is essential to maintain engagement. Each quarter, a new 15-minute module updates knowledge on emerging threats and reinforces best practices.
These refreshers include brief animations, internal incident testimonials, and gamified quizzes. They strengthen the cyber culture while minimizing “training fatigue.”
Participation rates for refreshers are monitored by IT and HR. Insufficient rates trigger automated reminders and additional training intervals, up to a mandatory in-person workshop.
Content is translated into French, German, and English to ensure multicultural coherence. Regulatory differences (FADP, GDPR) are applied according to employees’ country of residence.
Edana: strategic digital partner in Switzerland
We support companies and organizations in their digital transformation
Realistic Exercises
Nothing replaces hands-on experience: phishing simulations, password workshops, and IT hygiene exercises. These scenarios build concrete reflexes.
Phishing Simulations
A mid-sized Swiss industrial company conducted an initial targeted phishing campaign on its procurement department. The initial click-rate was nearly 32%, indicating high exposure.
After two waves of simulations and personalized feedback, the click-rate dropped to 8% in the third campaign. This example shows that realistic scenarios with individual feedback significantly reduce vulnerability to malicious emails.
The campaign is followed by a detailed report to management, highlighting critical areas by team and the most effective message types. These insights guide the next training modules.
The cycle repeats semi-annually, with each new simulation leveraging previous lessons to increase complexity and test reflex development.
Password & MFA Workshops
After the first simulation, hands-on workshops are organized. Employees learn to use an open-source password manager to avoid credential reuse.
A focused module demonstrates passwordless authentication and MFA options: biometric codes, hardware tokens, or secure mobile authenticator apps. Participants handle these tools under supervision.
These workshops highlight tangible benefits: fewer reset tickets, accelerated MFA adoption, and reduced incidents related to compromised passwords.
The preferred approach uses proven, modular, vendor-neutral technologies aligned with the company’s open-source strategy.
Workstation Hygiene
The third exercise type addresses updates and backups. IT teams simulate a workstation failure due to a missing patch and demonstrate best practices for restoring an encrypted device.
Each employee conducts a quick audit of their environment: operating system versions, disk encryption, automatic backups, and critical patches applied.
The session includes open-source scripts to verify compliance with ISO 27001 standards. The goal is to show that hygiene is measurable and automatable.
These exercises foster accountability: teams understand the direct impact of an unpatched workstation on the organization’s overall security.
Alerting & Continuous Improvement
Establishing a single reporting channel and a simplified runbook promotes rapid detection. A monthly dashboard and an ambassador network feed the improvement loop.
Incident management relies on a clear process: a dedicated “Phishing Report” channel accessible via the intranet, which triggers the intervention runbook. This one-page document explains who to contact and the steps to follow.
Alert Channel & Semi-Annual Drills
Every employee has an alert button directly in their email client or via an intranet portal. Centralized reporting ensures all notifications reach the Security Operations Center and the legal team.
A semi-annual table-top exercise brings together IT, Communications, Legal, and the crisis cell to simulate a major event. This drill tests roles, responsibilities, and response times.
The exercise yields internal feedback, highlighting improvement areas and updating the runbook. This practice builds collective memory and strengthens cross-functional coordination.
Thanks to this repetition, reflexes become more fluid and the organization is better prepared for internal communication and crisis management.
Dashboard & KPIs
A monthly dashboard aggregates key indicators: module completion rates, phishing click-rates, average reporting time after simulation, MFA adoption, and incidents prevented.
Data is broken down by team and site to identify the most exposed units. Business leaders receive alerts whenever critical thresholds are exceeded.
Detailed measurement drives a continuous improvement loop: each module is updated based on results and ambassador feedback.
This KPI-driven management justifies investments and demonstrates the program’s concrete impact on organizational resilience.
Culture & Ambassador Network
A network of cyber ambassadors, made up of passionate volunteers, disseminates visual messages: posters, infographics, and thematic videos. Each campaign addresses a specific topic (travel, social networks, fraudulent invoices).
Internal micro-events (flash quizzes, team challenges) maintain engagement and create a community spirit. Participants earn badges or mentions in the internal newsletter.
Ambassadors relay field feedback, propose new scenarios, and enrich training content. They serve as trusted points of contact and promote ownership of the cyber culture.
This organic diffusion gradually embeds cybersecurity into daily professional life, beyond a series of formal modules.
Building a Shared Cybersecurity Culture
By structuring governance, deploying modular paths, multiplying realistic exercises, and measuring your indicators precisely, your organization moves from one-off training to a continuous and effective program. Every link in the chain becomes an actor in cyber resilience.
Expected results in 90 days include a validated policy, a communications kit, a multilingual e-learning catalog, a simulation calendar, incident playbooks, and a dynamic KPI dashboard. You will observe reduced click-rates, increased reporting, and stronger MFA adoption.
Our experts are available to frame your program, provide the appropriate open-source or modular tools, and support you in operational implementation.
