Hi Lea absolutely – there are several ways to simulate a cyberattack or test incident response. You can start relatively simple by just going through a playbook with your core team in a tabletop exercise – kind of like a “what would we do if…” session. That’s a great first step to identify gaps, clarify roles and responsibilities, and test your communication flows. If you want to take it up a notch, you can bring in an external provider to run a more realistic simulation. They’ll often simulate pressure too – by calling stakeholders, sending phishing emails, or creating artificial chaos, just like in a real incident. That stress factor can be really valuable to see how well your processes hold up under fire. Practicing in a live environment doesn’t always mean touching production systems. Many things like decision-making, communication, and escalation can be tested without touching real tech. Just be clear about the scope and set expectations. Happy to share more if needed – feel free to reach out directly. Greetings from Spain, Gordon
Quick correction regarding the lock screen tip: While it can be helpful to show emergency contact information on the lock screen, we don’t recommend displaying sensitive details like the hostname or IP address there. This could unintentionally expose internal information to unauthorized individuals, especially if the device is lost or accessed by someone outside the company. Instead: • ✅ On the desktop background, it’s perfectly fine to include the device name, IP address, and other helpful technical info – as long as the user is already logged in. • 🚫 On the lock screen, it’s best to limit the message to IT emergency numbers or basic guidance only (e.g. “In case of IT emergency, call [number]”). Better safe than sorry when it comes to potential information leaks 😉
I’m sitting in a train right now, So sorry if it doesn’t look as professional as it normally would 😉 My recommendations – straight from real-life experience: 📞 1. Set up an easy-to-remember IT emergency number Choose something simple like 123 123 or 4444 – easy to remember in stressful moments. This should be the go-to number for reporting urgent IT or cybersecurity issues. ⸻ 🧭 2. Integrate this number into key processes • Include it in your onboarding process so every new hire knows it from day one • Place small posters or stickers in central office areas: meeting rooms, printers, coffee stations, elevators, restrooms, smoking areas etc. • Add it to the email signatures of the IT team • Show it on desktop backgrounds or lock screens, ideally with device info (hostname, IP address) and simple guidance for emergencies ⸻ 📱 3. Make sure contacts are available on company phones – even in emergencies • Sync key contacts (IT emergency, support) locally to the phone’s address book so they remain available even if the user’s AD account is locked • Use MDM tools (e.g. Intune) to push those contacts separately if needed ⸻ ✅ 4. Give employees clear instructions for what to do Most people don’t know when something is a real emergency. A simple guide like this helps: What to do in case of a suspicious email or incident: • Suspicious email, but no click: Use the phishing button or report it to abuse@[yourdomain] • Clicked a link, but entered nothing: Use the phishing button and send a quick note to IT • Entered credentials, opened a file, or account got locked: 👉 Call IT immediately! • Suspected malware or strange device behavior: 👉 Call IT immediately and stop using the device Bonus tip: Create a simple “I clicked – now what?” checklist available on paper, the intranet, or in handout format. ⸻ 🎯 5. Raise awareness with creative ideas • Run a phishing escape room or live simulation to make it stick • Organize Cybersecurity Weeks once or twice a year with real cases and interactive sessions • Use practical giveaways like mugs, pens, or stickers with the emergency number or fun slogans like “Don’t feed the phish”
Yes I do … I’ll run 😂
Hi Melissa, last week we experienced an attempted CFO fraud, which was successfully prevented thanks to the awareness of our employees. Would something like this be of interest for this section?
To be honest: no, it hasn’t been an easy journey. Cybersecurity and awareness aren’t exactly topics that naturally spark enthusiasm in a company, especially when you’re trying to build something strategic and long-term. Initially, it’s all about costs, without any immediately visible benefit. It’s an investment in prevention and that’s hard to grasp until something actually happens. There are also ongoing internal challenges. One of them is working with our marketing department, who often criticise my designs for not fully aligning with our corporate branding. I understand their perspective, but I’m creating content for users, not for advertising campaigns. If we want people to engage with awareness materials and actually enjoy them, we need some creative freedom. A generic template just won’t catch anyone’s attention anymore. We’re still far from the kind of “cybersecurity awareness culture” I’m aiming for … where security becomes as natural as grabbing your morning coffee. Many colleagues are now genuinely engaged, contribute ideas and keep learning more on their own. But there are still others who simply don’t care at all. The real challenge is figuring out how to get them on board in the long run Not through pressure, but by making it relevant and appealing. I’d love to hear how others are approaching this in their own organisations.
René K. Thank you for your kind feedback! Each episode focused on a specific topic that was relevant to our everyday work environment. Always with the goal of making it practical and easy to understand for non-tech colleagues. Some of the topics we covered included: • Phishing and Social Engineering (e.g. how attackers trick you into giving away information) • Dangerous USB devices like Rubber Ducky sticks • Home office security and how to protect your home network • Ransomware threats and how modern attacks are put together • And even parental control software to help employees protect their kids online We always tried to keep things accessible and sometimes even humorous, because we wanted people to feel informed, not intimidated or even bored. Another important element was relating each topic to our employees’ personal lives. We wanted the episodes to feel useful beyond the workplace, so I would usually end each interview with the same question: “Do you have any tips that our colleagues can apply at home?” This helped make the content even more relatable and actionable. One expert, for example, pointed out how convenient smart locks can be, but also explained why they can pose a serious security risk, especially if not properly configured or secured. As for broader awareness efforts: Until recently, we created our phishing simulations manually in Microsoft Defender, which was quite time-consuming. The emails worked well technically, but we noticed that the training content behind them lacked depth. Now that we’ve switched to SoSafe, we not only get high-quality phishing simulations but also engaging and professional learning videos that follow each click. Because in the end, it’s not about triggering clicks, it’s about turning them into meaningful learning experiences. That’s where SoSafe really adds value. We also try to integrate a short quiz into every awareness activity. Whether it’s after a video, a presentation, or so. And we regularly reach out to our suppliers to sponsor small prizes that we can hand out to participants. This adds a fun incentive and helps boost participation. In addition, we are currently planning a Cybersecurity Awareness Week. The exact date is still to be determined, but it will include live speakers, escape rooms, and interactive challenges to raise engagement across the company. And we’re also using creative physical reminders to keep the topic present in everyday work life: We’ve placed roll-ups at different spots across the company with our key messages. We designed custom gummy bear packs that promote our new cyber security awareness hashtag #StrongerTogether. And we even produced fortune cookies with 25 unique cybersecurity messages inside. Our sweets are distributed at random times in the cafeteria, at our reception, or meeting zones. Just to keep the topic top of mind in a playful way. To make individual efforts in cybersecurity awareness even more visible and valued, we’re currently working on a custom “trophy block” system that employees can place on their desks. For specific cybersecurity-related tasks, employees will receive small trophies that they can proudly display on their blocks. For example, all 123 participants of the internal podcast quiz will receive a trophy. The ten employees who achieved the maximum score will even get a special version with a different colour or design. We’ll also create trophies based on achievements within SoSafe, such as earning medals, and for other activities like participating in our upcoming cybersecurity escape room. The idea is to gently encourage friendly competition across departments. If, say, a manager from HR visits the finance department and sees their employees have far more trophies, the hope is that they’ll motivate their own team to catch up by taking part in more trainings. It’s a fun, visual way to create momentum and internal awareness benchmarking – without pressure, just motivation. The biggest win, however, isn’t just that people talk more openly about cybersecurity. What’s even more powerful is the behavioural change we’re seeing. Employees now correct each other when someone forgets to lock their screen. They reach out proactively to the IT team when they’re unsure about a suspicious email, a link, or a USB stick. That shift in mindset is something we’re really proud of. From the very beginning, we also made it clear that our goal is not to blame people for mistakes. We encourage everyone to report incidents early and openly, even if they feel they’ve made a mistake. Because hiding an incident would only make things worse. We’ve worked hard to build a culture where it’s okay to make mistakes (as long as they’re not intentional) and where people know they can always come to us without fear of punishment.
