The ECS Kit was developed by the National Security Coordination Secretariat with the support of the Singapore Business Federation and the Cyber Security Agency.
A 2015 dipstick survey by the Singapore Business Federation (SBF) of 319 companies showed that while 98% claim concern about the vulnerability of their business to a cyber-attack, only 39% of them invest in the three aspects of preparedness: hardware, software and peopleware.
Of the three aspects, studies have repeatedly shown that “peopleware” is often the biggest factor behind cybersecurity incidents:
However, “peopleware” is often overlooked as a company strives to ensure that its hardware and software are up-to-date. The SBF dipstick survey reveals that only about 20% of businesses regularly conduct training for their employees on cybersecurity. As such, to properly tackle the “peopleware” aspect of cybersecurity, experts recommend employee education. This kit is a free web-based resource to help companies in their employee cybersecurity education efforts.
The ECS Kit was designed based on the Transtheoretical Model (TTM) of Behavioural Change by Prochaska and DiClimente (1983), to guide employees through the steps that will create positive habit change pertaining to cybersecurity. The Kit takes employees through the five stages of behavioural change in the TTM:
There are two levels in the Kit. Level 1 is for companies which wish to better prioritise their cybersecurity employee awareness efforts and/or face resource constraints, and covers the first three stages of behavioural change. Level 2 is for companies which wish to further their existing cybersecurity agenda and/or are able to set aside more resources. It covers all five stages of behavioural change.
The kit has been designed to make the usually abstract or complicated topic of cybersecurity more accessible and relatable to users.
The ECS Kit contains:
The ECS Kit is available FREE on the Singapore Business Federation microsite.
You do not need to create an account, log in, or give any details in order to access the ECS Kit.
Any company which wishes to further their cybersecurity agenda and “human-proof” their company’s cybersecurity is welcome to use the ECS Kit. There are no restrictions on the usage of the kit.
At the homepage, scroll down to find out more about why employee education on cybersecurity is important and click on the ‘Take Quiz’ button at the bottom. This will take you to a quick assessment quiz on your company’s cyber-readiness level. It is recommended that for maximum accuracy, a representative from each key department in the company (i.e. IT, HR and the Communications departments) sit together to complete it.
Once completed, the quiz will automatically show you the corresponding level for your company to execute. You will then see all the tools in your level available for your download. Start with the roll-out plan for your level and don’t forget to read the description of each tool before downloading and executing.
For a visual reference, watch the demonstration video.
The ECS Kit will be most effective if representatives from each of the following departments are put in charge of planning and rolling it out:
These representatives will also require support from the following departments:
The material available on the website and in the ECS Kit is available FREE to all companies who wish to embark on or reinforce their employee engagement on cybersecurity. While companies are free to use the tools and information provided, and also recommend the Kit to other companies or clients, they are not to pass off the work as their own and sell it to other parties. When referring other parties to the Kit, companies should cite or credit the internet source: Singapore Business Federation microsite.
The recommended duration for your company’s cybersecurity employee education programme depends on which level you are rolling out. Level 1 should not take more than 4 hours of effort to roll out over 6 weeks, while Level 2 requires between 40-50 hours of effort to execute over 8-10 weeks, and can be extended for a longer period if desired.
The minimum period for the programme to be effective is 6-8 weeks, but if it is extended, the effectiveness should increase, especially with the action-oriented tools in Level 2: the Employee Advocacy Programme and the Employee Cybersecurity Challenge. For some of the tools in both levels, your company also has the option of using the editable templates to refresh the tools and their content, which will give you more tools and allow the programme to be extended for a longer period.
Before rolling out the ECS Kit, it is recommended for you to take stock of your company’s existing cybersecurity policies and/or measures, to better understand where the Kit can fit into your plans. For example, if your company’s existing policies and measures only concern hardware and software, the Kit will complement by addressing the “peopleware” aspect of cybersecurity.
If your company’s existing efforts already address “peopleware” in some form, use the Kit in a complementary way. For instance, if you have rolled out your own cybersecurity posters in the office, consider putting up the Level 1 Top Tips or Level 2 Posters alongside, or follow on from, the existing material.
Ultimately, the best people in your company that you can consult on how to use the Kit to complement existing policies and measures will be your Communications department. It is recommended to seek their advice before proceeding.
The ECS Kit addresses only the ‘peopleware’ aspect of cybersecurity, so it can run concurrently with what your company is doing with its hardware and software. It will not affect your hardware and software policies and implementation.
The sequence of the steps in the roll-out plans have been designed to follow the stages of the Transtheoretical Model of Behavioural Change, from awareness, to understanding, to action. Hence, it is recommended for companies to follow the recommended sequence. For example, awareness should come before action, and not vice versa.
The depth of engagement also gradually increases with the steps as laid out in the roll-out plan, so that employees are not overwhelmed with too much information at the start. For example, the Level 1 Announcement eDM allows leaders to share with employees the company’s focus on cybersecurity and gives them a heads-up on the programme to follow.
However, as the Kit is flexible and designed to be plug-and-play, your company can choose to stagger or adapt the material, so as to prolong the exposure period. You may also choose to omit some material if you feel that they are unnecessary.
Yes you may! If you start with Level1, feel free to follow up with Level 2 if you would like to extend the employee education programme for your company. If you have been given Level 2, feel free to check out Level 1 and incorporate any of the Level 1 tools which are appropriate for your company. If you choose to do this, it is recommended to start with Level 1 first, and then progress onto to Level 2. Depending on which tools you pick from Level 1, it is recommended to follow the sequence in the Level 1 Roll-out Plan.
The number of employees does not change the way you use the Kit. The Kit has been designed to be applicable to companies of all sizes.
The Kit has been designed to be simple and convenient for use, with the least amount of resources and labour required to be executed. That said, the amount of resources required depends on the level that you are rolling out. Level 1 is designed to be light on resources and should not take more than 4 hours of effort to roll out over 6 weeks. Level 2 is a little more resource-intensive and requires between 40-50 hours of effort to execute over 8-10 weeks. Both levels can be extended for a longer period if necessary.
Indicators of success are: