A campaign launch is all well, but how do you keep it going over time?

The creation of TRUST was not an end in itself, but a stepping-stone for the future.

At the start of the project, we immediately envisaged the annual pace of our two awareness plans.

Two, because we had to keep in mind that we were raising awareness for two distinct populations: newcomers and existing employees.

For newcomers, the solution is simple: plan the launch of all existing TRUST resources over one year to space out messages.

For all other employees, it’s more complex. How to get the messages across again without giving a feeling of déjà vu, fatigue or even an overdose?

We have therefore organized our awareness plan with 3 major initiatives spaced out over time.

A new monthly meeting: The Trust minute

A one-minute film broadcasted on all our communication channels to present 5 different messages per month:

1. An example of an anonymous user or client incident
2. A Trustee, our security tool presented in the previous article
3. A security indicator (e.g. the percentage of new recruits who have completed e-learning, the number of those leaving the firm detected downloading documents before they leave). Sharing these indicators helps raising awareness and demonstrates that controls have been lifted.
4. A daily tip given by our friend Sofia
5. A popularized cyber news story

A new campaign of cybercoffee quizzes because it gets results

Of course, we must reinvent it, change the quizzes (but not necessarily the themes) and change the prize? All of this is easy and requires little preparation. Admittedly, this period of lockdown slightly challenged our initial plan. But it has been an opportunity to be creative and to release, in partnership with my colleagues in the Cybersecurity & Digital Trust practice, the new #TotalCyberAwakening video series about lockdown.

An annual global event in October during Cyber Security Month

In 2019, we organized a firm-wide competition on the theme of protecting personal digital information.

Every week, all employees received a question by email which they could answer directly via option buttons (sending a multiple-choice approval via Power Automate). Depending on their answer, they received a second email with the answer and the various tips associated to be used on a personal basis.

Answering a question and getting a correct answer would help contributing to a Euro prize fund. More than €2,100 was donated to the ISSA association, an association which Wavestone has partnered with to promote cybersecurity among schools and children.

This first game, based entirely on voluntary participation, enabled us to reach more than a third of Wavestone’s employees.

We are already preparing for next October’s initiative and this time we will go further with videos, games, meetings, quizzes under a global theme inspired by a famous TV series. What if this time, the new threat of Wavestone was the return of the White Walkers?

6 key elements to keep in mind

To sum up, the key elements for creating a successful awareness program are as follows:

1. Set achievable goals
2. Define a common thread (a theme, a brand) that will allow users to easily associate your messages with security
3. Define a short list of messages to be communicated and stick to it
4. Diversify the media and channels (posters, films, emails, e-learning, games) but always keep at least one event to meet the users
5. First use the tools already at your disposal (PowerPoint, emails, PowerAutomate) before acquiring new interesting solutions if needed, but not necessarily a priority to get started
6. Be creative and use humor to get your messages across (however, culture differences may have an impact in case of an international group)

Cet article The creation of Wavestone’s new internal awareness program (2/2) est apparu en premier sur RiskInsight.

Un lancement de campagne c’est bien, mais comment tenir dans la durée ?

La création de TRUST n’a pas été une finalité, mais un tremplin pour la suite.

Au démarrage du projet, nous avions tout de suite imaginé quel serait le rythme annuel de nos 2 plans de sensibilisation.

Nous devions avoir en tête de gérer la sensibilisation de 2 populations distinctes : les nouveaux et les anciens collaborateurs.

Pour les nouveaux, la solution est simple : planifier le lancement de tous les supports TRUST existants sur une année pour espacer les messages.

Pour tous les autres collaborateurs, c’est plus complexe. Comment faire à nouveau passer les messages sans donner un sentiment de déjà vu, de lassitude, voire d’overdose ?

Nous avons donc organisé notre plan de sensibilisation avec 3 grandes actions espacées temporellement.

Un nouveau rendez-vous mensuel : The Trust minute

Un film d’une minute diffusé sur tous nos canaux de communications pour présenter 5 messages différents par mois :

1. Un exemple anonymisé d’incident utilisateur ou avec un client
2. Un Trustee, nos outils de sécurité présentés dans l’article précédent
3. Un indicateur de sécurité (ex : le pourcentage de nouveaux ayant réalisé le e-learning, le nombre de démissionnaires détectés à télécharger des documents avant leur départ). Le fait de partager ces indicateurs permet de sensibiliser sur la problématique et de démontrer l’existence des contrôles.
4. Une astuce du quotidien donnée par notre amie Sofia
5. Une actualité cyber vulgarisée

Une nouvelle campagne de cybercoffee quizz car le résultat est au rendez-vous.

Evidemment, il faut se renouveler, changer les questionnaires (mais pas forcément les thèmes), changer le goodie, mais tout cela est facile et demande peu de préparation. Certes, je vous l’avoue, cette période de confinement a légèrement remis en cause notre plan initial. Cependant, cela a été l’occasion d’être imaginatif et de sortir, en partenariat avec mes collègues de la practice Cybersécurité & Digital Trust, la nouvelle série en vidéo TotalCyberAwakening sur le confinement.

Un évènement global annuel en octobre lors du mois de la cybersécurité.

En 2019, nous avions organisé un jeu concours à l’échelle du cabinet sur le thème de la protection de la vie numérique personnelle.

Chaque semaine, tous les collaborateurs recevaient une question par mail à laquelle ils pouvaient répondre directement via des boutons de choix (envoi d’une approbation à choix multiples via Power Automate). En fonction de leur réponse, ils recevaient un second email leur annonçant la réponse et différents conseils associés à utiliser à titre personnel.

La participation à une question et une bonne réponse alimentaient une cagnotte en euros. Plus de 2100€ ont ainsi été reversés à l’association ISSA à laquelle Wavestone s’est associée pour promouvoir la cybersécurité auprès des écoles et des enfants.

Ce premier jeu sur base de volontariat nous a permis d’atteindre plus d’un tiers des collaborateurs de Wavestone.

Nous sommes déjà en train de préparer celui d’octobre prochain et cette fois-ci nous irons plus loin, avec des vidéos, des jeux, des rencontres, des quizz sous un thème global inspiré d’une célèbre série TV. Et si cette fois-ci la nouvelle menace de Wavestone était le retour des marcheurs blancs ?

6 éléments clés à retenir

Pour résumer, les éléments clés de succès pour la création d’un programme de sensibilisation réussi sont les suivants :

1. Se fixer des objectifs chiffrables et atteignables
2. Définir un fil rouge (un thème, une marque) qui va permettre aux utilisateurs d’associer facilement vos messages à la sécurité
3. Définir une courte liste de messages à faire passer et s’y tenir
4. Diversifier les supports et les canaux (affiches, films, mails, e-learning, jeux) mais toujours conserver au moins un évènement permettant d’aller à la rencontre des utilisateurs
5. Utiliser dans un premier temps les outils déjà à votre disposition (PowerPoint, mails, PowerAutomate) avant d’acquérir si besoin de nouvelles solutions intéressantes mais pas forcément prioritaires pour démarrer
6. Faire preuve de créativité et utiliser l’humour pour faire passer vos messages (attention toutefois à prendre en compte les différences de culture dans le cadre d’un groupe international)

Cet article Récit de la création du nouveau programme de sensibilisation interne de Wavestone (2/2) est apparu en premier sur RiskInsight.

A year ago, the idea of TRUST was born, the name of the new awareness program at Wavestone. My team and I spent a year thinking about and developing a whole new strategy to raise awareness among Wavestone employees. Wavestone has 3,500 employees in 8 countries, whose main job is consulting (but not only!), rather young (but not only!), who know about IT and cybersecurity (but not only!).

This anniversary was an opportunity to reflect on the results and think about what we are going to do next. In view of the very positive feedback that I have received from our employees, I consider this program to be a success in terms of our objectives and I would therefore like to share it with you to explain how it is possible to build a program and develop materials without necessarily having an enormous budget. In a nutshell, awareness-raising is within the reach of every company, even the smallest.

It all starts with a review and objectives

The assessment at the beginning of 2019 was simple: for several years, I had already developed various awareness-raising tools: a virtual character (Sofia), an e-learning module, phishing campaigns, a very stylish user charter (but I am not fooled by its actual read rate), videos, an Intranet page, awareness-raising emails, security tools available to users… but then why did our users always continue to act as if they didn’t know?

At the same time, within the framework of the Wavestone 2021 strategic plan and its aim to position the firm in the top 3 of its category in terms of CSR, we have set ourselves the objective of being a trusted partner with 100% of our employees being aware of data protection issues.

100%! At the beginning of 2019, I only had a 70% participation rate of employees in e-learning safety.

But then how? What more could I do?

After several group sessions and one or two sleepless nights, the ideas were there:

Our various actions were too diverse, a common thread was missing: a brand!

A digital format is a good thing, but there is no substitute for a verbal discussion (we forget the traditional 2 hour face-to-face mandatory training for all newcomers, which is very time consuming and has a limited impact due to the large number of messages addressed in the 2 hours. I have led so many of them as a consultant).

We always talk about risk and threat, but employees need more practical examples that are well adapted to their company’s situation. What mistakes can they make on a daily basis and what would be the actual impact for Wavestone?

“Humor! We need humor!” Yes, but not always! Humor is a great tool to grab the attention of your target audience, to lure them in, to make them receptive to you… but what you really need is pragmatism!

It is difficult for the employee to ultimately know what to do with the many rules given. In the end, a large part of data protection remains the mission of IT management, by implementing protection tools, alerts and controls. For example: is it up to users to be more vigilant against phishing or malicious emails? For my part, I think it’s more up to the company:

1. to implement a better messaging protection solution,
2. a better EDR that will block the action of the faulty part,
3. to have solutions to avoid the spread of ransomware or data backups,
4. to have a multi-factor solution that will greatly reduce the use of stolen logins and passwords via a fake password reset email.

It is more important to work on limiting the impact of a malicious email that will always find a willing victim, rather than focusing energy on educating users on this topic.

Based on this observation, what are the messages I wanted to convey? What is really in the control of the Wavestone employee, and not IT management?

They can be summed up in 5 messages:

1. Transfer documents from your client ONLY WITH authorization:When you are a consulting firm whose employees spend so much time on your clients’ IS, the primary risk is a lack of awareness and the loss of a client because your employees have taken out sensitive documents to make it easier for them to work on their workstations, or with their project manager who does not have access to the client’s IS (at least not yet, which can often happen with long processes for providing access to client’s IS). This is not a security risk as such for Wavestone, but rather a risk of a client incident that is dealt with through data protection awareness.
2. Respect the project confidentiality procedure: the fundamentals! Comply with the instructions for handling client data. On the other hand, for it to be effective, this procedure must be very simple… no more than 2 or 3 rules.
3. Use security tools to protect data: as long as they are easy to use! We’ll talk about this later.
4. Store personal data only if necessary and process only for the intended purpose: you have to put a little GDPR message in the formula…
5. Think twice before opening an attachment, clicking on the web link, and working in transport and public places: “but you just told us it was the role of IT management!” Yes, sure, you’re right, but it doesn’t cost anything to add it at the end. Anyway, we always forget the last piece of advice!

5 messages. Perhaps the more visual among you have noticed… but the first letter of each line combines to form…

And here’s the TRUST brand that was born, with its logo, design, style guide and visuals.

We have the brand! Like any good marketing product, it must now be broken down into multiple promotional formats.

Once we had our central theme in terms of messages and visuals, all that remained was to communicate it, but not in a single action, in a series of actions linked to each other to simultaneously increase formats, channels and messages to different categories of users.

Production of the TRUST video. 5-minute film in 3 parts:

1. An introduction to set the scene with fictional press or radio articles presenting the consequences for Wavestone of a security incident (loss of clients, loss of turnover, stock market decline, etc.).
2. 5 messages: 5 humorous sketches including a Wavestone employee and a different CISO. What better than CISOs to play their own role? I was lucky that the CISOs of 2 CAC40 companies, a large French public company and a large English bank agreed to play the game in a humorous way. Many thanks again to them! Each consequence of the scene is then explained by the managing director of Wavestone, Mr Patrick HIRIGOYEN. Small video excerpt here.

3. Finally, a conclusion with a message from Mr. Pascal IMBERT, Chairman and Chief Executive Officer of Wavestone, as a more serious reminder of the risks involved for the firm and the need for each employee to feel committed and to apply the proposed measures.

We received a very good feedback from the employees on this humorous film, which was widely distributed through all the firm’s communication channels.

The TRUST brand was quickly identifiable. But this film was just for the launch, it needs more!

Creation of cybercoffee quizzes

The principle is simple: answer at least 3 security questions and get a free coffee and 1 goodies (a TRUST webcam cover for this year).

An excellent opportunity to meet employees at a time when they are open to discussion: during their coffee break.

For this, you need visuals: kakemonos, polo shirts, screens with the awareness film and 1 coffee machine with free coffee. You can’t miss us!

Every fortnight, my team would go to a different break room in our offices to introduce TRUST, get the staff playing and answer their questions. This initiative was greatly appreciated by the employees. Beyond the lure of winning, they were delighted that we took the time to explain to them individually things they didn’t know or didn’t know well and all the simple things that were available to them. “It’s not as complicated as it sounds!”

These quizzes, in the form of presentations at management meetings or team meetings in our various offices, enabled us to meet with more than 1,000 employees in person in 9 months, i.e. around 1/3 of our staff. Although time-consuming, this action remains one of the most impactful in terms of making ourselves known and getting our messages across.

Technical tip: it’s very easy to implement in practice:

• 3-question form, for us, made on Microsoft Forms,
• QR code displayed on a kakemono or a poster so that from its phone, the participant can easily access this form (just take out the camera, no application to install)
• Finally, a simple workflow (via Power Automate) to save the result in a database and automatically send a summary email to the participant with key messages and links to videos.

The score and corrections being displayed directly on the phone after confirmation, the facilitator can directly discuss with the participant to explain their mistakes and offer them their gift.

What if the security tools were superheroes?

“Encrypt your document”, “Protect your passwords”, “Encrypt your emails”… so many instructions given to users who, despite their good intentions, often find themselves saying “I want to, but how can I do it?”

We had a whole catalog of tools installed on the workstations and were available for employees, which were simply unknown to everyone. So, we had to bring them out of the shadows and into the spotlight to show their existence and their usefulness. That’s how our League of Trustees was born!

Each tool has its own superhero whose duty is to show our employees what they are used for and how easy it is to use them in less than 1 minute:

“I want to send a secure document to my client”: Encrypt it with 7zip!

“I want to protect the documents on my USB flash drive”: Encrypt it with BitlockerToGo, it’s on your computer!

Posters and short demonstration videos were used to communicate on our different channels and to present them during our Cybercoffee quizzes.

I wouldn’t say that they are now used every time, but at least they are better known and therefore are used more than they were before.

Technical tip: did you know that you don’t need professional software and a 5-year degree in audiovisuals to make short animated films?

There are tools such as Powtoon or Vyond that allow you to make awareness videos very easily with a whole series of characters or settings already proposed. In 1 to 2 days you can already make your first one-minute video. Quickly, you will only need half a day of editing. The most complex part is always the script writing, the duration of this step can be very varied depending on the message you want to convey, your context or requirements (it’s this last point that personally takes me a lot of time!).

For simpler films, including video clips and text, personally, my new video editing tool has become Microsoft PowerPoint! You all already know how to use it to put text, animations and transitions. All you have to do now is use the video insertion, screen recording and video export functions. 3 features that make your life easier because usually you always have to find third party tools to record your screen, cut them and convert videos.

You can even save your films in GIF format to integrate them directly into your awareness emails! No need to redirect your user to a video site!

The ultimate advantage is that you can have your videos edited by other people and modified afterwards by others without training because most of your employees know how to use PowerPoint. Creativity becomes your only limit.

3 new materials, that’s it?

As soon as our new materials were ready, we took the opportunity to bring our old awareness tools back to TRUST’s colours:

The e-learning for all new employees has been revamped with TRUST visuals by integrating the videos presented previously and refocusing the questions on our 5 messages. This more entertaining aspect enabled us to achieve our goal of having 100% of our new employees completing this e-learning programme by 2019. It is also thanks to good follow-up efforts and perseverance that this objective has been achieved! It’s not that easy getting 100%…

The Intranet page has also undergone a makeover to centralize all these resources and highlight the messages.

The security alerts for employees have also been rebranded under the TRUST brand. It should not be forgotten, but these alerts can be a great tool for raising awareness. Between the automatic email saying “We saw you, it’s not right, you’re going to be punished” and the prevention email sent by the awareness character explaining the right way to do things, the message gets across differently. And I strongly believe that it is more effective… the proof is in the observed decrease of these alerts since their implementation.

End of the first article… how to keep it going and my conclusion soon to be published in part 2.

Cet article The creation of Wavestone’s new internal awareness program (1/2) est apparu en premier sur RiskInsight.