We recently started a journey of awareness and training related to information security and GDPL with all our employees. The platform chosen to support us was Hacker Rangers! With the help of this partner and the employee’s engagement, we began to reap many good results related to data protection here at Convenia. Throughout this article, I will point out the challenges encountered, some positive changes, and the results reflected in our company’s day-to-day activities.
Initial analysis
To understand where we were, I relied on a phishing test done by another platform a few months before we started this new training format. In this test, the percentage that employees clicked on the simulated phishing was 35%.
In addition to this being a very expressive number, we noticed that employees did not consume quality content concerning good information security practices, much less in an adequate way. As a consequence, there was difficulty in achieving an assertive awareness, which reflected safe habits in everyday life.
Initial challenges
We encountered some challenges in implementing our awareness program. I think it’s worth noting two:
-> The first was the difficulty of maintaining employee engagement. Generally, cybersecurity content tends to be boring, not very interactive, and full of more technical language. In this way, it becomes difficult to “hold” the attention of employees who are not used to some terms on the subject.
-> The second challenge encountered right at the beginning of the journey was the difficulty of carrying out mass phishing tests. Most platforms offer a “locked-in” model, which we cannot change, or which always lands in spam in the email box. This ends up not only making the test execution difficult but also masking the real result.
Hacker Rangers to the rescue!
After identifying these challenges, we started a partnership with the Hacker Rangers platform, which offers content about cybersecurity and GDPL more lightly, with short courses and easy-to-understand language.
But the main thing is that it allows us to create a gamified competition cycle, which ignites a spirit of competitiveness and keeps employees engaged throughout the season, which lasts 12 weeks.
This tool was also able to help us with the phishing test issue since the platform is entirely interactive and gives us the option to edit the email the way we want. Furthermore, if the user interacts with the message, such as by clicking on the email or submitting data, he is automatically directed to a page that warns him that he has fallen into a simulated phishing test, which also presents some guidelines so that this does not happen again.
The idea in our phishing test is not to harm or deceive our employees but rather to measure our degree of maturity in security and, above all, to train them not to fall into real phishing, as this type of scam grows scary day after day. And having resources to send personalized emails with our visual identity and with the domain closest to ours helps us a lot in this task of awareness and training for real situations.
After just over 3 months, we started reaping the results of this awareness and training program. As mentioned earlier, in our last phishing test conducted before the start of this program, the contributor click-through rate was 35%. In the most recent test, after starting awareness with Hacker Rangers, we were able to bring that rate down to 6.4%. We know that in a phishing campaign, there are several subjective factors, but these numbers already give us a north to follow.
The Role of cyber attitudes in Building a human firewall
In addition to a significant improvement in the number of clicks on phishing simulations, what most caught our attention was the change in employee culture. After those three months, when they receive any e-mails that are suspicious or have some strange content before they click on anything, they come to me and ask for guidance or report it as spam and then notify me. The cool thing is that the platform offers a typical tool for this: the so-called “Cyberattitudes,” a space where the employee can give various tips and suggestions and, most importantly, report the security risks identified in the company.
This change was what we really expected. A culture change is the creation of a “human firewall” because if everyone is engaged and consuming quality knowledge, everyone will be prepared to identify threats, report potential risks, and not fall into scams — not only in the corporate environment but also in your personal life!
This was another important point for us: not only creating more aware employees but more aware people, who share the content learned with their friends and family, spreading this knowledge and increasingly reducing virtual crimes. In the image below, we can see how employees interact and give feedback via Ciberattitudes:
Our goal is to decrease the numbers obtained in the last phishing test. After the end of the season, we invited the entire company to a meeting and, as shown in the image below, we presented the result achieved and gave tips on how not to fall for future phishing tests — and, mainly, for real phishing.
We warn everyone that there are some patterns in attempts at online scams, such as urgent matters or those that require a quick response; miracle products that promise to solve your problems quickly and simply; spelling errors; suspicious attachments; and, of course, the request for sensitive content.
Certification
We share the idea that our customers are the soul and reason for our existence and always deserve the best. And, aiming to offer this best to them, after our first season, we achieved the White Certified certification granted by Hacker Rangers.
This is a form of recognition for companies that carry out cybersecurity awareness programs in an engaged and positive way, which encourage behavior change at work and in personal life and which, as a result, obtain employees with extensive knowledge of the company’s policies, who actively act to prevent and report incidents.
Our desire now is to keep our employees engaged and increasingly increase the excellence of our program!
Conclusion
After this period of maturation of our program, we realized that an awareness program is essential for any company because, with a well-constructed campaign, we can offer quality content and important information to our employees.
Now, they can analytically reflect on each action to be performed, thus increasing our degree of maturity in security matters. As a result, we were able to offer an even safer product for our customers!
*The content of this article is the author’s responsibility and does not necessarily reflect the opinion of iMasters.
Leave a comment