Employees at the Barcelona City Council experienced a jolt this morning when a video simulating a full-blown data hijacking suddenly took over their computer screens. This surprise interruption was not the work of malicious actors, but a deliberate and dramatic first step in a new internal campaign aimed at sharpening staff awareness of cyber threats.

Your browser does not support the video tag.

The simulated ransomware attack, which appeared to encrypt files and lock out users, affected a large portion of the municipal workforce. This startling event launched an initiative aptly named ‘Això no és un joc’ (This is not a game), aimed at reinforcing the city’s digital defences against the increasing proliferation of real-world cyberattacks that threaten public institutions and citizens’ personal data.

A Wake-Up Call with a Purpose

Following the simulated attack, the Municipal Manager, Laia Claverol, dispatched a message to all affected staff. She explained that the exercise was a drill and stressed the critical importance of having the right tools and knowledge to detect and respond correctly to a genuine cyberattack. Ultimately, the council aims to move beyond passive learning, fostering a more resilient and security-conscious workforce.

The campaign comes as public bodies across the region bolster their digital defences. Moreover, this initiative aligns with a broader push for digital security, with the regional government recently announcing a comprehensive €18.6 million cybersecurity strategy for Catalonia to better protect essential public services from disruption.

Three Key Objectives for Staff

According to a report by local news outlet Tot Barcelona, the Barcelona Institute of Innovation and Technology (BIT Habitat) designed the initiative with three core objectives for municipal employees:

  • Awareness: To instil a clear understanding of the need to protect against cyber threats.
  • Knowledge: To familiarise staff with the tools and techniques available to prevent or hinder attacks.
  • Reaction: To provide clear protocols and instruments for responding effectively if an attack occurs.

Gamified Approach to Cybersecurity

Rather than relying solely on traditional training manuals, the council’s Internal Communication Directorate has developed an interactive game. Over the coming weeks, this game will present employees with a series of questions and challenges related to cybersecurity. These scenarios will draw from practical, day-to-day work situations at the Ajuntament de Barcelona, ensuring the training’s direct relevance to their roles.

After each challenge, the platform will provide best-practice recommendations for using common tools like email, WhatsApp, SMS, web browsers, and QR codes, which are frequent vectors for cyberattacks. This “gamified” approach to security awareness aims to be more engaging and effective than conventional methods.

This focus on internal procedure and staff culture reflects the council’s wider efforts to modernise its operations. These efforts also include a recent €106,000 investment in a staff culture survey and a major €9.4 million plan for developing ethical AI. In a statement, the City Council explained that the ‘Això no és un joc’ experience is available to all personnel, encompassing those in district offices and the various management departments, consortia, and institutes under its umbrella.