Evolving With Security Awareness in 2024



As we look towards the new year and all the sweeping technological change that comes with it, we spoke with security awareness community member Dennis Legori to get his take on successes he's seen to carry with us into 2024. Dennis is the Associate Director for Security Awareness & Digital Communications at Carrier.

His team's innovative approach to building a positive security culture has led to a massive growth of Enterprise Defenders and increased reporting of phishing and ransomware attacks. With a background in cybersecurity since 2013, Dennis brings a unique blend of business and security expertise to Carrier as well as his own entreprenuer-like problem solving and new concepts.

Looking for the TLDR version? Check out Dennis' Community Spotlight page here

Believe it or not, much of Dennis' community building success was born out of running a phishing simulation competition. Now, phishing simulations get a bad wrap mostly because they are used ineffectively and with little thought to the company culture or brands they impersonate; and are mistakenly treated as THE KPI to watch. Not to mention they can be very limited. You can't simulate wire fraud attempts or spoofing at scale, at least, we don't recommend it for many reasons :)

And just as important, there's generally a feeling by employees they're the ones being attacked by their own company - a sentiment that definitely does not promote a warm fuzzy feeling for company morale.

An Accidental Community Is Born

During the height of the pandemic and overlap of October's Security Awareness Month campaigns, Dennis and his team took a different approach to the annual phishing simulation competition. Unlike phishing competitions of yesteryear the physical presence of teammates was missing to lend an extra pair of eyes to a suspicious email. To address this, they created a Teams channel using a distribution list to allow players the ability to collaborate for the duration of the competition.
While the dedicated channel was intended solely for the competition it took on a life of its own. With 1600 people from over 100 countries it turned into an online hangout where everyone was sharing their wins and losses with phishing emails. Some were like, "Yeah, gotcha!" and others admitted, "Oops, I fell for it. Sorry I let the team down." It turned into its own social media-like community. 
The channel became a place to celebrate 'a good catch' or encourage and troubleshoot when there was doubt. Even after the competition ended employees were sharing snippets of real phishing emails to alert others. This high engagement laid the groundwork.

Immersive Learning + Real-Time Threat Intel

One particular individual shared in the channel that he had clicked on a real phishing email but had had such a helpful and positive experience with the SOC team. That's when Dennis had the idea to bring on the SOC members to the group that not only provided friendly accessibility from employees to the SOC but also gave the security team live intel - definitely a positive feedback loop for all involved.
The whole evolution made the channel its own immersive learning experience as well as providing real-time chatter on phishing emails and attacks. They've since branched off to create local Enterprise Defenders channels localized for language and relevance with over 5000 employees engaged through the year actively being the eyes and ears for stronger security across the business. 

Xtreme Phishing Simulations

Once the competition ended the employees surprised them by pushing for the next competition to run - that's when they decided to create more opt-in events throughout the year. And not only that, there was a clamor for harder challenges - that's when the gloves came off.
For this select group of volunteer competitors, the team created a 2 week challenge that blasted challengers daily with spoofed emails, HR requests, payment changes, and the like - basically all the typically taboo types of phishing you can't generally run. Having coordinated with specific managers and leadership teammembers whom they would spoof, the participants were able to really be put on their toes with real-life scenarios not typically experienced in regular phishing simulations. 
This resulted in approximately 1600 highly engaged individuals on high alert for sophisticated phishing attacks as part of the game, but it also led to increased reporting of real phishing attacks at the same time.

Reaping The Benefits

Once the extreme phishing competition ended after the 2 week period, the intense exercise had the positive after-effect of employees continuing to spot and report suspicious messages at a higher volume than before. Dennis and his team have been tracking the reporting metrics since and it only continues to get better.
It's a favorite saying that "people are the weakest link". However, as Dennis' successful evolution of the phishing competition and security culture demonstrates people can be your greatest asset as a 'human sensor', catching what no email gateway or end-point protection can.

Not Your Typical Security Awareness Program

Many traditional security awareness plans include some type of ambassador program. Typically these have individuals who are already aware of the general risks and understand the concepts of cybersecurity awareness and many are 'volun-told' to be a point person for their particular department. 

However, the thing about the grassroots efforts Dennis' team cultivated is that their (now) team of 5500+ defenders don't confess to be experts. They just want to be part of the bigger picture.

They're willing to learn from others, and it's just completely inclusive. In fact, when one employee expressed interest to join but was concerned about the language barrier, they shifted to create localized Teams channels for their regional teams across the globe for more personal and relevant conversations keeping people comfortable in their language. 

Importantly, there's no penalty for clicking a link or taking any cyber missteps but rather  support to quickly mediate while celebrating the positives from reporting to identifying attacks. Everyone's stronger for it from the individuals being empowered to the SOC team getting added intel from the employees 'in the field'.  

 It's all about inclusiveness. It's all about that global culture and using that. When you have people, there's power in the people.

But Is There Swag?

While many ambassador programs are sure to set aside fun security awareness SWAG to sweeten the deal for volunteering (which is a fun bonus!), Dennis' program runs surprisingly lean utilizing what they have with little extra incentive. In fact, for their current active Enterprise Defenders the positive reinforcement offered is a simple message of thanks and congratulations along with a certificate to use as 'bragging rights'. Additionally, their manager also receives notification to provide the employee kudos from their higher ups. But that's it. 
For distributing the certificates and congratulatory messgage they simply utilize the LMS functionality they already have so everything can be automated.

In short, they make do with what they have. But according to Dennis, "It's tied to what the company culture is. Obviously, if you're not in defense, it depends on what industry you are and what your company culture is and how supportive your management.

And sometimes we security professionals just have to go with the flow. But in this case, I have the backup of management; you definitely don't want to take any kind of punitive approach. Is that the right approach? It depends on the industry. But my thought is, if people are scared, if a SOC is going to shame them, or if their manager is going to shame them, then when they click on something real, or if they open something malicious, if something is going to happen and they keep quiet, I think that's the real danger." 

But my thought is, if people are scared, if a SOC is going to shame them, or if their manager is going to shame them...if something is going to happen and they keep quiet, I think that's the real danger. 

Crowdsourcing Security Awareness

Dennis feels much of the program's success is the fact that it's basically crowdsourced cybersecurity using the power of the people. Similar to how Waze managed to transform transportation apps through crowdsourced information from real-time reporting by its users, Carrier has been able to transform its rate of reporting while reducing the human risk landscape through its highly engaged and empowered employee-base. It's a great example of the transformative power of shifting from a problem-focused mindset and demonstrating the success of gamifying the crowdsourcing process to encourage community participation and celebrate achievements.

Both Dennis and Gaby underscored the importance of cultivating a positive culture that celebrates success rather than solely focusing on preventing failures. This mindset shift plays a pivotal role in creating an engaging and collaborative community where people are motivated to contribute, even without monetary incentives, ultimately contributing to the success of projects like Waze.

Marketing Your Security Awareness Program

However, the continual growth of the Enterprise Defenders 'movement' didn't happen in a vacuum. Once the team saw real interest and engagement they began to take concerted efforts to make sure to make the opportunity available to more of their global team. In short, they put on their marketing cap and looked at different ways to invite more people to their awareness community. After their first cohort of Defenders was a success, they began to send an invitation in response to someone successfully reporting a real phishing email which began to provide new monthly signups. 

One particular effort saw great success when Dennis challenged his teammate Jeleasa Grayned to sign up 1000 new Defenders in 10 days. This initiative earned them the opportunity to present their tale at SANS Security Awareness: Managing Human Risk Summit 2023. And this past year, the team did another push for 500 in 5 days. A good reminder that if you build it, they will come.

Aside from the larger campaigns to scale, they also keep to the rhythm and themes already present within the company. One campaign capitalized on International Women's Day, while their Phantom Phish Halloween challenge reassured them they didn't have to be scared of online threats but could join the Defenders team to upgrade their savvy. 

One other venue where they are able to market and engage is simply through coordinating with their Communications teams that provides live trainings. In these sessions they are able to speak to 300-400 employees on a range of topics that affect them personally in the cyber world with guest speakers and live Q&A. 

They've had so much success that whereas most departments are alloted 30 minutes slots, Dennis' team is given 1 hour - 30 minutes for the training and then 30 minutes for an 'after party' where employees can causally engage and interact with the cybersecurity professionals for further discussion. To date, these sessions are topping the employee ratings at 97% satisfaction! And as an added benefit to the employees, they can also receive learning credits as the recording is also uploaded to the LMS. 

In Conclusion

In short, to help your employees evolve with the security threats of 2024, more than fancy tech or huge budgets, providing a space for employees to engage and connect with security teams can be a huge step forward that opens the way for more possibilties while simply using the tools already at your disposal. While it takes work, the ROI of a stronger workforce reinforced with a positive security mindset is priceless.

Connect with Dennis on LinkedIn! Enjoyed this? Check out Dennis and Paula West's conversation on the early days of building their Defenders program along with more great insights from other community members in the Resource section below.

Want to catch our next community talk? Subscribe to our announcements here.

More Resources on Security Awareness Programs

Building A Winning Security Awareness Program

Building A Healthy Cybersecurity Culture

Security Awareness Done Right

Creating Impactful Videos for Security Awareness Training

Security Awareness Training Highlights PDF