Lessons Learned: Building an Award Winning Security Awareness Program

We’re hosting a new series highlighting members of our Security Awareness Manager community and their lessons learned while creating and running awareness programs that go beyond checking the box, they make an impact.

Our kick off started with the power team at Carrier led by Dennis Legori and Paula West to learn some of the lessons learned that they see as contributing to their successful - and award-winning - security awareness program. 

Being tasked with building a security awareness training program at the height of the pandemic when everyone went into crisis mode, they realized they needed to change the focus from what traditional, on-prem engagements looked like to complete digital campaigns while keeping in mind cyber security was far from top of mind at the time.

The Tipping point

One identified tipping point for their security culture came as a result of a phishing competition during October’s Cybersecurity Awareness Month. Along with it being voluntary participation, a Teams channel was opened to provide friendly sparring during the event. This channel unexpectedly became a place for two-way communication between the security team and employees that went beyond the friendly trash talking. Participants began sharing questions or other scams received outside of the competition through this channel of communication open to them as a fun and safe environment - user engagement and heightened awareness exploded among participants. 

(One quick pro-tip provided by Dennis if you’re using Teams with a large organization is to create a distribution list and then upload to the channel - this helps to get around the 500 user limit per channel.)

What’s more, many of these participants naturally became security awareness ambassadors to their colleagues which is a great indicator of a successful program!

To Phish or Not to Phish or How to Phish?

The phishing competition was gamified as a custom story of the fictitious Golden Nickel Hacking Group trying to attack Carrier through ransomware delivered via email. Participation was voluntary and the event was marketed through different internal social channels. The initial response was over 2000 participants for their first competition!  Through the established Teams channel, competitors engaged along with the SOC team who also competed. As mentioned in the interview, this was one layer which helped humanize the SOC / employee relationship and contributed to more open communication and approachability.

One surprise result was the competitors themselves began asking for harder and harder phishing tests which opened up the opportunity to run campaigns that were usually off limits by HR. In other words, during the competition, they ran campaigns spoofing managers' emails and getting permission from some of their leadership as well to simulate a compromise with their email address to create more advanced phishing sims.

In most businesses, a phishing simulation is usually scheduled either monthly or quarterly but for this particular campaign during October's Security Awareness month, the team slated daily phishing emails for a period of two weeks. The combination of an engaged and competitive atmosphere, the knowledge of higher difficulty of phishes and the daily challenge to not be phished resulted in employees who were on high alert. As such, Dennis and Paula saw a huge jump in reporting of phishing emails not only thanks to the competition but in real-life reporting as well. What previously was 40-50 phishing emails reported daily by employees jumped to 60-70 reports from increased awareness and positive engagement. 

But What's the KPI?

""Our message is 'if you click on it, report it to the SOC'" - Carrier's focus - or KPI - is not on the number of people who clicked on a phishing message but rather on the proactive steps taken by a user - reporting it! "Because we had the SOC on the call (during the competition) our greatest success was people confessing 'oh I clicked on it, I feel bad' or 'I clicked on a real email but our SOC was so helpful - the SOC provided this great customer experience' and it was immersive. At the end of the competition users were already clamouring for the next one - definitely a KPI in itself to the success of an engaged community.

Carrier had 2000 employees who experienced intense and sophisticated training (happily!) that it carried over after the training ended. The team also noticed not only was there an increase in the quantity of reported phishing after the event, there was also an increase in the quality. This was evidenced through one story of a sales team member in France who received an email from a customer and identified a business email compromise and notified the customer to speak with their security team. She reported it and while it was confirmed, she already spoke with the client and took care of it. This was one of many real incidents and helped change the culture of the team as more employees view themselves as "Enterprise Defenders" and a critical piece in the security firewall for their company.  

What else?

Below are a few more insights from their security awareness training program evolution:

• Focus on security awareness training that is short and engaged as opposed to 45 - 60 minute sessions.
• Provide security awareness in short, consistent ‘bites’. For them, that included a cybersecurity tip of the day in connection with quarterly and monthly themes.
• The compilation of content created as a result of this consistency led them to innovate a cybersecurity chat bot that then delivered these tips depending on User engagement.
• Make awareness positive through language and a safe culture for reporting and communicating security issues. Some ways they do this:
  • These sessions provide another opportunity to humanize the relationship between the security team and the employees in the company paving the way for more communication and conversation around security concerns.
• Create bridges between the SOC team and the community of employees
• Remove the stigma around accidentally clicking. 
• Provide positive reinforcement for reporting incidents without shame, embarrassment or fear of punishment.
• Carrier calls their employees “Enterprise Defenders” giving ownership to individual responsibility in the chain of security.
• Instituted monthly recognition of employees who reported phishing incidents through the ICAP certificates (“I Caught a Phish) that users often use as bragging rights
• Highlight success stories of individuals
• Carrier instituted an open invite, interactive event led by members of the security team to interested employees around more in depth topics - i.e. What happens behind the scenes when a phish is reported.
• Integrate some online safety training for home and family concerns. For one such event they hosted a woman sharing her personal experience with a kidnapping incident of her child by a person the child met online - the event had over 200 attendees from the company. 
• KPIs - Forget tracking the clicks, track the reporting! A strong security culture includes users who know what to do when they encounter something suspicious; aren’t sure about a message; or clicked a link without thinking - they report it!
• Carrier saw an overall average increase of 48% of users reporting suspicious incidents being a strong indicator of greater awareness and action! 

In short, Paula summarizes the underlying theme to their program’s success, “We’ve created an environment where we understand that each of us can make a difference.”

Key Takeaways for creating a security awareness program:

Dennis -

• Work with your SOC team. Establish a good relationship and mutual trust with your SOC. Security awareness needs allies.
• Confidence. Know the value of user engagement. Create a positive attitude and engagement around the program. Negative programs [aka punitive] are not worth the effort.
• Have a close relationship with vendors and partners you work with - you’re going to ‘break’ things periodically but trust and accountability go a long way in working through issues that arise.

Paula -

• Consistent communication - keep the communication going.
• Talk to your users - find a way to be relevant to them.
• Get creative - you’re going to hit roadblocks along the way so get creative to find the way to get the message across.

While there is no magic bullet for “THE” way to do security awareness training, Dennis and Paula’s insights and innovative approach certainly provide some great ideas to consider.

If you wear the hat for managing the security awareness program for your organization, we’d love to have you as part of our community, join us here to get more updates for future interviews and our virtual meetups.

Looking for awareness training that is short, relevant and engaging? Check out Wizer’s free video library.