Intelligent CISO Issue 9 - Page 53

COVER STORY and Ireland, and a team of around three people, it was not logistically viable. He started looking into cybersecurity training software and demoed solutions from two leading brands by asking people from HR, finance and IT to try out the different types of training and give him their feedback. Overwhelmingly, the trial users preferred Wombat Security Technologies’ solution because Wombat’s interactive, step- by-step modules were more engaging than the other company’s video-based modules, which end users found overly technical and hard to engage with at their desk. He said: “Our goal when we develop training is to really make it as approachable as possible. We didn’t want them to be intimidated.” Hield started implementing Wombat’s solution in May and June 2017. He began his first campaign by sending an introductory email to everyone inviting them to complete mandatory ‘security essentials’ training, as well as letting them know that they could try out other optional training modules. going unopened and blogs being ignored, Hield said. This meant that his team couldn’t truly demonstrate that they were training their employees and were therefore uncompliant with regulations that required cybersecurity training, like GDPR. Hield then changed things up by giving one-hour presentations to staff at different sites, but many did not have suitable locations where he could train everyone at once. He then set up smaller, interactive sessions, where he trained six to eight people at once. This was effective but with 5,500 IT users across 400 plus sites in the UK | Issue 09 In the first week, 1,200 modules were completed, belonging to both the compulsory and voluntary module set. Hield gave the company three months to complete the compulsory training and with just a polite monthly reminder, 80% of users completed the training. He said he was pleased the department leads acted as stakeholders during the campaign, with many asking for a list of names of those who hadn’t completed training so that they could personally incentivise them to do so. Apart from the resounding success of the compulsory campaign, Hield said he was highly impressed with how many end users completed voluntary training – from June to December 4,120 voluntary modules were completed. 100 staff members even did every module available. Mobile device cybersecurity was a particularly popular voluntary topic. The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered. Hield ran a mock phishing attack on his users during Veolia’s internal Cyber and Physical Security Week – 700 people out of 5,300 email address targeted clicked on a link within the email. Because this number was already relatively low, Hield decided to challenge his users during the next mock phishing test. He used an attachment-based simulation and more corporate looking emails – this saw more people falling for the test who hadn’t before. So, having identified the problem, he applied an instant solution by planning the next mandatory education model to be ‘avoiding dangerous attachments’. The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered between June and October 2017 – an impressive number considering that the modules only take around 15 minutes to complete. Hield presented Veolia UK and Ireland’s cybersecurity training campaign to his contemporaries at a global security summit in France and they were blown away – with Hield at the helm, the rest of the organisation looks set to roll out this high level of cybersecurity training and awareness globally. He added: “It also works well on the phone – everything is mobile responsive. We can see the main difference and it ticks all the compliance boxes as well which is important for us. It really works for us.” u 53