Lessons Learned: Security Awareness in Oil & Gas

 

We’re hosting a new series highlighting members of our Security Awareness Manager community and their lessons learned while creating and running awareness programs that go beyond checking the box, they make an impact.

This week we're excited to feature SAM Community member Brent Forrest, Field CISO and vCISO Lead for Flair Data. He shares lessons learned from his time in the oil and gas industry when building an awareness program.Oil and gas, like other industrial control environments, comes with its unique set of challenges with security and building out awareness programs to suit.

Security Awareness Challenges in Oil & Gas Industry

One of the biggest challenges Brent sees in creating security awareness programs for Oil & Gas companies is the lack of industry specific training materials at the plant level or on the field. While the traditional approach for awareness around phishing, USBs, and the like are standard, the reason for 'why' is also different.

Brent shared the example of the Colonial Pipeline to illustrate. In a properly segmented ICS environment the system for business communication and similar is separate from the controls systems and in an instance of compromise of the business side, control systems should not be directly affected. However, if personnel do not properly understand the 'why' it can lead to premature actions such as the case in the Colonial Pipeline incident. 

While business downtime from a cyber attack is costly regardless, in highly regulated fields such as the oil and gas sector, the cost is compounded due to SLA fees and the like. And for a plant or factory, shutting down may be quick but rebooting to start back up is a process that takes considerable time in addition to the time already spent offline. This makes the proper security awareness training all the more significant in its support of business operations and financial considerations.

Lessons Learned Building from Ground Up Security Awareness 

Know your audience after an acquisition!

Brent related an instance (aka lesson learned the hard way!) of running a phishing simulation after the company merged with another, bringing their company culture along with them. What he was unaware of is that while his company who acquired the new entity did not have the custom to give out any type of gift card to employees for the holiday season, the newly acquired employees were accustomed to receiving a holiday gift card bonus. So the standard gift card phishing email that promised X amount for a bonus Brent approved to send without a second thought - in November, no less. As one may imagine, it was not received well, to say the least, when the new employees were met with "You clicked a phishing link" instead of the standard bonus they were expecting.

Taking time to sit down with HR for the new personnel to pre-emptively work out acceptable awareness messaging for the new culture and how they may receive them can definitely go a long ways.

What about non-office personnel?

Knowing your audience also extends to understanding the different messaging needed for different office departments vs workers in the field. For Brent, he noticed that framing online security as a way to protect family and home resonated more with the guys and gals in the field over any technical or formal security awareness. 

One other approach taken which Brent felt contributed to their lower susceptibility rate over time was enrolling the managers of 'repeat offenders' into an awareness course. In many instances, once the manager had to take the course due one of the team consistently performing poorly, it encouraged conversation and more accountability.

Physical and digital safety meet

In more safety regulated industries such as oil and gas, Brent's experience was positive from the perspective of management buy-in when framed as digital safety is physical safety. With a culture of safety being more present in many of these types of organizations, layering on digital security as one more level of safety for the employees is an easier 'pitch' than working in businesses that operate exclusively in the digital realm.

Two-way communication

Creating a culture of openness around online safety vs one of negativity allowed employees to feel comfortable enough to approach the security team with work or personal online safety questions which opened up more opportunities for real-time training and longer lasting understanding.

As Brent shares his perspective, "My intent and goal was not to secure just the organization. It was to instruct and teach them on how to secure their personal lives. If their personal lives are altered they're not going to be fully focused on their work. And if they're changing how they're handling their personal life, they're more willing to change their work habits."

20/20 Hindsight - What would change if he had to do all over again?

Before starting any program, Brent would begin by simply visiting each facility and attending monthly safety meetings to understand how each location engages with the safety protocols. He'd also become involved in the safety trainings, not just being a participant of them. To top it off, all this would be done while also getting to know the people individually in the field and in the business offices.

Automate automate automate

When they first began the phishing campaigns for individuals who were required to take a specific training, these individuals were manually added one to two weeks after the phishing results. Once they switched to automated enrollment for such programs, the connection was stronger for individuals from the phishing exercise with the training reinforcement. 

Creating campaigns, generating reports and interpreting reports to present to the board all takes time. Brent estimated that when he was doing all this manually he was spending anywhere from 12 to 15 hours per month. Before his departure from the organization, he moved much of the awareness program to a managed service provider that freed up his time from the functional aspects so that time could be invested in more quality conversations around awareness with the c-suite, managers and employee body. 

Reports aren't just for the board room

While reports were created for the board on a quarterly basis, in line with the open culture he established with his program, Brent also shared the data with the employees via internal channels. He took it further by incentivizing the reporting through a drawing for a $25 gift card for all the employees who reported suspicious emails on a monthly basis. 

Another awareness tactic Brent utilized the reports for may require a bit of preparation and tact before implementing but it did create a new perspective. He'd compile a report of those individuals who were attacked the most via email in a given period - not to shame but rather to inform and demonstrate real threats. After initial pushback from people feeling offended, Brent was able to educate them that their being on the "Most Targeted" list was not a personal attack but instead a tool to raise alertness. 

How much time was spent on the awareness program?

Initially, Brent estimated he spent 15-20 hours a month to manually create campaigns, run the trainings and pull reports. This estimation also includes one-on-one conversations around awareness with both managers and the general population. 

Once he transitioned the program over to a managed services provider, the time spent on the functional aspect of efforts was drastically reduced which freed him up to focus the majority of the time to more in-depth conversations with leadership. He estimated six to ten hours a month was now dedicated to more nuanced engagements and summarizing reports while the MSP handled the rest of the grunt work.

Brent's Top Tips for new security awareness managers

  1. Teach employees MFA is not the devil.
  2. Password managers - best to get the organization to provide one for the employees.
  3. Train employees on the best ways to use MFA and password managers along with the most efficient ways to use them to reduce frustration and higher adoption.
  4. Quit assuming - just because you know it doesn't mean they do.

Thanks Brent!

Connect with him on LinkedIn and while you're there check out our Security Awareness Manager community here.

Looking for awareness training that is short, relevant and engaging? Check out Wizer’s free security awareness video library.