The ECS Kit was developed by the National Security Coordination Secretariat with the support of the Singapore Business Federation and the Cyber Security Agency.

A 2015 dipstick survey by the Singapore Business Federation (SBF) of 319 companies showed that while 98% claim concern about the vulnerability of their business to a cyber-attack, only 39% of them invest in the three aspects of preparedness: hardware, software and peopleware.

Of the three aspects, studies have repeatedly shown that “peopleware” is often the biggest factor behind cybersecurity incidents:

1. The IBM Cybersecurity Intelligence Index 2014 reveals that 95% of all cybersecurity incidents involved human error.
2. Business security consultancy KCS Group shared research in 2015 that 80% of cyber breaches can be traced to staff working behind the firewall.
3. A study by IT trade association CompTIA in 2015 found human error to be the leading contributor to all security breaches.

However, “peopleware” is often overlooked as a company strives to ensure that its hardware and software are up-to-date. The SBF dipstick survey reveals that only about 20% of businesses regularly conduct training for their employees on cybersecurity. As such, to properly tackle the “peopleware” aspect of cybersecurity, experts recommend employee education. This kit is a free web-based resource to help companies in their employee cybersecurity education efforts.

The ECS Kit was designed based on the Transtheoretical Model (TTM) of Behavioural Change by Prochaska and DiClimente (1983), to guide employees through the steps that will create positive habit change pertaining to cybersecurity. The Kit takes employees through the five stages of behavioural change in the TTM:

1. Awareness: "I've heard of cybersecurity"
2. Desire: "I'm interested to find out more about cybersecurity"
3. Knowledge: "I know and understand more about cybersecurity and its importance"
4. Action: "I will stay up-to-date on cybersecurity and practise good measures"
5. Reinforcement: "I continue to stay up-to-date on cybersecurity and practise good measures"

There are two levels in the Kit. Level 1 is for companies which wish to better prioritise their cybersecurity employee awareness efforts and/or face resource constraints, and covers the first three stages of behavioural change. Level 2 is for companies which wish to further their existing cybersecurity agenda and/or are able to set aside more resources. It covers all five stages of behavioural change.

The kit has been designed to make the usually abstract or complicated topic of cybersecurity more accessible and relatable to users.

The ECS Kit contains:

1. Assessment Quiz to help you determine your company’s cyber-readiness level.
2. Resource Library that offers a range of avenues that can be tapped on to refresh the Kit content for subsequent runs.
3. Practical guides on how to use the communication tools available in Levels 1 and 2 to keep employees informed and encourage them to practise cyber safe behavior.

Level 1 Tools
• Roll-out Plan to help you roll out all Level 1 tools
• Management Buy-in Deck and Guide to help you get support and alignment from the management team on rolling out the Kit
• Announcement eDM in an editable template to help you announce to employees/colleagues the roll-out of the Kit
• Weekly eDMs and an editable template to interest employees on cybersecurity and show how seemingly simple actions could negatively impact the company
• Top Tip Stickers to remind employees of simple, cybersecurity habits to adopt
• Digital Banner and Thumbnail to place in your internal communications channels

Level 2 Tools
• Roll-out Plan to help you roll out all Level 2 tools
• Management Buy-in Deck and Guide to help you get support and alignment from the management team on rolling out the Kit
• Town Hall Guide to help you set up a face-to-face meeting with employees/colleagues to share the company’s commitment to cybersecurity
• Personality Quiz for employees to take and understand how cyber-ready they really are
• Posters to be put up around the office to increase employees’ understanding of cybersecurity
• Employee Advocacy Programme Guide to help you create your own cybersecurity advocates within the company
• Employee Challenge Guide to help you set up a cybersecurity “fire-drill” for your employees/colleagues

The ECS Kit is available FREE on the Singapore Business Federation microsite.

You do not need to create an account, log in, or give any details in order to access the ECS Kit.

Any company which wishes to further their cybersecurity agenda and “human-proof” their company’s cybersecurity is welcome to use the ECS Kit. There are no restrictions on the usage of the kit.

At the homepage, scroll down to find out more about why employee education on cybersecurity is important and click on the ‘Take Quiz’ button at the bottom. This will take you to a quick assessment quiz on your company’s cyber-readiness level. It is recommended that for maximum accuracy, a representative from each key department in the company (i.e. IT, HR and the Communications departments) sit together to complete it.

Once completed, the quiz will automatically show you the corresponding level for your company to execute. You will then see all the tools in your level available for your download. Start with the roll-out plan for your level and don’t forget to read the description of each tool before downloading and executing.

For a visual reference, watch the demonstration video.

The ECS Kit will be most effective if representatives from each of the following departments are put in charge of planning and rolling it out:

• HR understands employees the best; is usually in charge of sharing the company’s IT and/or cybersecurity policies with new hires during their orientation; and typically arranges for employee education, training, advocacy programmes and development.
• IT understands the cyber-readiness level of the company and employees. They can also provide technical expertise for the Level 2 Advocacy Programme and Employee Challenge.
• The Communications team will be the most familiar with engaging internal stakeholders and adapting the toolkit material for roll-out.

These representatives will also require support from the following departments:

• The Finance team can help to translate risk or benefit into a dollar value. They understand the operational costs of the company and is able to offer advice on the scenario analysis of the Management Buy-in Deck.
• Management can expedite implementation of the employee awareness program by identifying suitable leaders to spearhead the initiative and reserving an appropriate budget to implement the program properly.

The material available on the website and in the ECS Kit is available FREE to all companies who wish to embark on or reinforce their employee engagement on cybersecurity. While companies are free to use the tools and information provided, and also recommend the Kit to other companies or clients, they are not to pass off the work as their own and sell it to other parties. When referring other parties to the Kit, companies should cite or credit the internet source: Singapore Business Federation microsite.

The recommended duration for your company’s cybersecurity employee education programme depends on which level you are rolling out. Level 1 should not take more than 4 hours of effort to roll out over 6 weeks, while Level 2 requires between 40-50 hours of effort to execute over 8-10 weeks, and can be extended for a longer period if desired.

The minimum period for the programme to be effective is 6-8 weeks, but if it is extended, the effectiveness should increase, especially with the action-oriented tools in Level 2: the Employee Advocacy Programme and the Employee Cybersecurity Challenge. For some of the tools in both levels, your company also has the option of using the editable templates to refresh the tools and their content, which will give you more tools and allow the programme to be extended for a longer period.

Before rolling out the ECS Kit, it is recommended for you to take stock of your company’s existing cybersecurity policies and/or measures, to better understand where the Kit can fit into your plans. For example, if your company’s existing policies and measures only concern hardware and software, the Kit will complement by addressing the “peopleware” aspect of cybersecurity.

If your company’s existing efforts already address “peopleware” in some form, use the Kit in a complementary way. For instance, if you have rolled out your own cybersecurity posters in the office, consider putting up the Level 1 Top Tips or Level 2 Posters alongside, or follow on from, the existing material.

Ultimately, the best people in your company that you can consult on how to use the Kit to complement existing policies and measures will be your Communications department. It is recommended to seek their advice before proceeding.

The ECS Kit addresses only the ‘peopleware’ aspect of cybersecurity, so it can run concurrently with what your company is doing with its hardware and software. It will not affect your hardware and software policies and implementation.

The sequence of the steps in the roll-out plans have been designed to follow the stages of the Transtheoretical Model of Behavioural Change, from awareness, to understanding, to action. Hence, it is recommended for companies to follow the recommended sequence. For example, awareness should come before action, and not vice versa.

The depth of engagement also gradually increases with the steps as laid out in the roll-out plan, so that employees are not overwhelmed with too much information at the start. For example, the Level 1 Announcement eDM allows leaders to share with employees the company’s focus on cybersecurity and gives them a heads-up on the programme to follow.

However, as the Kit is flexible and designed to be plug-and-play, your company can choose to stagger or adapt the material, so as to prolong the exposure period. You may also choose to omit some material if you feel that they are unnecessary.

Yes you may! If you start with Level1, feel free to follow up with Level 2 if you would like to extend the employee education programme for your company. If you have been given Level 2, feel free to check out Level 1 and incorporate any of the Level 1 tools which are appropriate for your company. If you choose to do this, it is recommended to start with Level 1 first, and then progress onto to Level 2. Depending on which tools you pick from Level 1, it is recommended to follow the sequence in the Level 1 Roll-out Plan.

The number of employees does not change the way you use the Kit. The Kit has been designed to be applicable to companies of all sizes.

The Kit has been designed to be simple and convenient for use, with the least amount of resources and labour required to be executed. That said, the amount of resources required depends on the level that you are rolling out. Level 1 is designed to be light on resources and should not take more than 4 hours of effort to roll out over 6 weeks. Level 2 is a little more resource-intensive and requires between 40-50 hours of effort to execute over 8-10 weeks. Both levels can be extended for a longer period if necessary.

Indicators of success are:

• Increase in employees’ awareness and understanding of cybersecurity, as observed through watercooler conversations, casual discussions or simple e-mail surveys.
• IT department reporting a reduction of issues related to lack of cyber savvy or awareness of security threats.
• Good responses or desirable actions resulting from Level 2 Employee Challenges - the fire-drill equivalent for cybersecurity.