The creation of Wavestone’s new internal awareness program (1/2)

Cyberrisk Management & Strategy

Posted on

 

A year ago, the idea of TRUST was born, the name of the new awareness program at Wavestone. My team and I spent a year thinking about and developing a whole new strategy to raise awareness among Wavestone employees. Wavestone has 3,500 employees in 8 countries, whose main job is consulting (but not only!), rather young (but not only!), who know about IT and cybersecurity (but not only!).

This anniversary was an opportunity to reflect on the results and think about what we are going to do next. In view of the very positive feedback that I have received from our employees, I consider this program to be a success in terms of our objectives and I would therefore like to share it with you to explain how it is possible to build a program and develop materials without necessarily having an enormous budget. In a nutshell, awareness-raising is within the reach of every company, even the smallest.

 

It all starts with a review and objectives

The assessment at the beginning of 2019 was simple: for several years, I had already developed various awareness-raising tools: a virtual character (Sofia), an e-learning module, phishing campaigns, a very stylish user charter (but I am not fooled by its actual read rate), videos, an Intranet page, awareness-raising emails, security tools available to users… but then why did our users always continue to act as if they didn’t know?

At the same time, within the framework of the Wavestone 2021 strategic plan and its aim to position the firm in the top 3 of its category in terms of CSR, we have set ourselves the objective of being a trusted partner with 100% of our employees being aware of data protection issues.

100%! At the beginning of 2019, I only had a 70% participation rate of employees in e-learning safety.

 

 

But then how? What more could I do?

After several group sessions and one or two sleepless nights, the ideas were there:

Our various actions were too diverse, a common thread was missing: a brand!

A digital format is a good thing, but there is no substitute for a verbal discussion (we forget the traditional 2 hour face-to-face mandatory training for all newcomers, which is very time consuming and has a limited impact due to the large number of messages addressed in the 2 hours. I have led so many of them as a consultant).

We always talk about risk and threat, but employees need more practical examples that are well adapted to their company’s situation. What mistakes can they make on a daily basis and what would be the actual impact for Wavestone?

“Humor! We need humor!” Yes, but not always! Humor is a great tool to grab the attention of your target audience, to lure them in, to make them receptive to you… but what you really need is pragmatism!

It is difficult for the employee to ultimately know what to do with the many rules given. In the end, a large part of data protection remains the mission of IT management, by implementing protection tools, alerts and controls. For example: is it up to users to be more vigilant against phishing or malicious emails? For my part, I think it’s more up to the company:

  1. to implement a better messaging protection solution,
  2. a better EDR that will block the action of the faulty part,
  3. to have solutions to avoid the spread of ransomware or data backups,
  4. to have a multi-factor solution that will greatly reduce the use of stolen logins and passwords via a fake password reset email.

It is more important to work on limiting the impact of a malicious email that will always find a willing victim, rather than focusing energy on educating users on this topic.

Based on this observation, what are the messages I wanted to convey? What is really in the control of the Wavestone employee, and not IT management?

They can be summed up in 5 messages:

  1. Transfer documents from your client ONLY WITH authorization:When you are a consulting firm whose employees spend so much time on your clients’ IS, the primary risk is a lack of awareness and the loss of a client because your employees have taken out sensitive documents to make it easier for them to work on their workstations, or with their project manager who does not have access to the client’s IS (at least not yet, which can often happen with long processes for providing access to client’s IS). This is not a security risk as such for Wavestone, but rather a risk of a client incident that is dealt with through data protection awareness.
  2. Respect the project confidentiality procedure: the fundamentals! Comply with the instructions for handling client data. On the other hand, for it to be effective, this procedure must be very simple… no more than 2 or 3 rules.
  3. Use security tools to protect data: as long as they are easy to use! We’ll talk about this later.
  4. Store personal data only if necessary and process only for the intended purpose: you have to put a little GDPR message in the formula…
  5. Think twice before opening an attachment, clicking on the web link, and working in transport and public places: “but you just told us it was the role of IT management!” Yes, sure, you’re right, but it doesn’t cost anything to add it at the end. Anyway, we always forget the last piece of advice!

5 messages. Perhaps the more visual among you have noticed… but the first letter of each line combines to form…

 

 

And here’s the TRUST brand that was born, with its logo, design, style guide and visuals.

 

We have the brand! Like any good marketing product, it must now be broken down into multiple promotional formats.

Once we had our central theme in terms of messages and visuals, all that remained was to communicate it, but not in a single action, in a series of actions linked to each other to simultaneously increase formats, channels and messages to different categories of users.

Production of the TRUST video. 5-minute film in 3 parts:

  1. An introduction to set the scene with fictional press or radio articles presenting the consequences for Wavestone of a security incident (loss of clients, loss of turnover, stock market decline, etc.).
  2. 5 messages: 5 humorous sketches including a Wavestone employee and a different CISO. What better than CISOs to play their own role? I was lucky that the CISOs of 2 CAC40 companies, a large French public company and a large English bank agreed to play the game in a humorous way. Many thanks again to them! Each consequence of the scene is then explained by the managing director of Wavestone, Mr Patrick HIRIGOYEN. Small video excerpt here.
  1. Finally, a conclusion with a message from Mr. Pascal IMBERT, Chairman and Chief Executive Officer of Wavestone, as a more serious reminder of the risks involved for the firm and the need for each employee to feel committed and to apply the proposed measures.

We received a very good feedback from the employees on this humorous film, which was widely distributed through all the firm’s communication channels.

The TRUST brand was quickly identifiable. But this film was just for the launch, it needs more!

Creation of cybercoffee quizzes

The principle is simple: answer at least 3 security questions and get a free coffee and 1 goodies (a TRUST webcam cover for this year).

An excellent opportunity to meet employees at a time when they are open to discussion: during their coffee break.

For this, you need visuals: kakemonos, polo shirts, screens with the awareness film and 1 coffee machine with free coffee. You can’t miss us!

 

 

Every fortnight, my team would go to a different break room in our offices to introduce TRUST, get the staff playing and answer their questions. This initiative was greatly appreciated by the employees. Beyond the lure of winning, they were delighted that we took the time to explain to them individually things they didn’t know or didn’t know well and all the simple things that were available to them. “It’s not as complicated as it sounds!”

These quizzes, in the form of presentations at management meetings or team meetings in our various offices, enabled us to meet with more than 1,000 employees in person in 9 months, i.e. around 1/3 of our staff. Although time-consuming, this action remains one of the most impactful in terms of making ourselves known and getting our messages across.

Technical tip: it’s very easy to implement in practice:

  • 3-question form, for us, made on Microsoft Forms,
  • QR code displayed on a kakemono or a poster so that from its phone, the participant can easily access this form (just take out the camera, no application to install)
  • Finally, a simple workflow (via Power Automate) to save the result in a database and automatically send a summary email to the participant with key messages and links to videos.

The score and corrections being displayed directly on the phone after confirmation, the facilitator can directly discuss with the participant to explain their mistakes and offer them their gift.

What if the security tools were superheroes?

“Encrypt your document”, “Protect your passwords”, “Encrypt your emails”… so many instructions given to users who, despite their good intentions, often find themselves saying “I want to, but how can I do it?”

We had a whole catalog of tools installed on the workstations and were available for employees, which were simply unknown to everyone. So, we had to bring them out of the shadows and into the spotlight to show their existence and their usefulness. That’s how our League of Trustees was born!

 

 

Each tool has its own superhero whose duty is to show our employees what they are used for and how easy it is to use them in less than 1 minute:

“I want to send a secure document to my client”: Encrypt it with 7zip!

“I want to protect the documents on my USB flash drive”: Encrypt it with BitlockerToGo, it’s on your computer!

Posters and short demonstration videos were used to communicate on our different channels and to present them during our Cybercoffee quizzes.

I wouldn’t say that they are now used every time, but at least they are better known and therefore are used more than they were before.

 

 

Technical tip: did you know that you don’t need professional software and a 5-year degree in audiovisuals to make short animated films?

There are tools such as Powtoon or Vyond that allow you to make awareness videos very easily with a whole series of characters or settings already proposed. In 1 to 2 days you can already make your first one-minute video. Quickly, you will only need half a day of editing. The most complex part is always the script writing, the duration of this step can be very varied depending on the message you want to convey, your context or requirements (it’s this last point that personally takes me a lot of time!).

For simpler films, including video clips and text, personally, my new video editing tool has become Microsoft PowerPoint! You all already know how to use it to put text, animations and transitions. All you have to do now is use the video insertion, screen recording and video export functions. 3 features that make your life easier because usually you always have to find third party tools to record your screen, cut them and convert videos.

You can even save your films in GIF format to integrate them directly into your awareness emails! No need to redirect your user to a video site!

The ultimate advantage is that you can have your videos edited by other people and modified afterwards by others without training because most of your employees know how to use PowerPoint. Creativity becomes your only limit.

 

3 new materials, that’s it?

As soon as our new materials were ready, we took the opportunity to bring our old awareness tools back to TRUST’s colours:

The e-learning for all new employees has been revamped with TRUST visuals by integrating the videos presented previously and refocusing the questions on our 5 messages. This more entertaining aspect enabled us to achieve our goal of having 100% of our new employees completing this e-learning programme by 2019. It is also thanks to good follow-up efforts and perseverance that this objective has been achieved! It’s not that easy getting 100%…

The Intranet page has also undergone a makeover to centralize all these resources and highlight the messages.

The security alerts for employees have also been rebranded under the TRUST brand. It should not be forgotten, but these alerts can be a great tool for raising awareness. Between the automatic email saying “We saw you, it’s not right, you’re going to be punished” and the prevention email sent by the awareness character explaining the right way to do things, the message gets across differently. And I strongly believe that it is more effective… the proof is in the observed decrease of these alerts since their implementation.

 

 

End of the first article… how to keep it going and my conclusion soon to be published in part 2.