Awareness?! How to Make It Work in a Low-Tech Environment

So I know we're all waiting for the lunch break. I'll try to make it short and snappy and fun. Most of all, my name is Alina Smith. I'm the cybersecurity assurance lead of the Around Town Group. And about two years ago I was given the opportunity to lead all information security governance initiatives for the group. That means that a big part of my job is to make people aware and to prevent them from being subject to an attack. And everybody, anybody that knows me just a little bit, knows that I'm incredibly enthusiastic about that. Around town itself is a real estate company. We have about 1,500 employees spread around various different countries in Germany, the Netherlands, uk, Luxembourg, Cypress. And so that is basically the low-tech environment that I'm dealing with on a day-to-day basis. The employees are property managers, they're sales agents, they're service center agents.
In short or in a nutshell, people that don't necessarily need to be tech savvy to do their day to day tasks. So I want to talk to you about how to make awareness work in a low tech environment. But spoiler alert, there is no one size fits all solution unfortunately. But I will talk to you about what we have done and what has worked for us. So our problem is clearly staff engagement with cyber education. Let's be honest, information security is an incredibly ungrateful task. It's, it's a serious topic. It's overwhelming and seemingly complicated. Yay. Another information security awareness training said no one ever, because we're dealing with people that are technologically challenged and sometimes even borderline computer illiterate, they don't like it. We're the ones that block their years. B boards we're the ones that impose multi-factor authentication for seemingly no other reason than to make their work lives harder.
So combine these kinds of people that are technologically challenged with those that are afraid of computers and those that follow that blindly follow SOPs. And you got yourself the ultimate challenge. Tell me if you can relate. How can I finish all of my work with all of these trainings? Does security really see everything I do? Don't they have anything better to do, like protect us from hackers? And then last but not least, the complacency us. No, who would ever hack us? So how do you make awareness work and why don't any of the seemingly fun and innovative tools that the market has to offer work? Because it's boring. It's boring. We're all just trying to tick the box. We're sending generic emails from the CISO's desk telling them how many millions of euros can be lost in a hack. We're imposing dull e-learning modules with five questions at the end that are way too easy to answer.
So just so that everybody can get them right and we have spread awareness, but if we're honest to ourselves, all that does is make our lives easier because we have created the perfect audit trail to prove that we have spread awareness. Don't start yet another fishing simulation with a very generic landing page cuz it just doesn't work. And here is the perfect example. Something we experienced last year. We, we launched a fishing simulation to check who needs support and to follow through with trainings for those that need it. This is an example of one of those emails that we sent. It was seemingly sent by HR telling the employees, Hey, you can get compensation for unused sick days. Sounds pretty tempting, doesn't it? And so it did for our employees as well. You all know the drill. They click on the link, a landing page opens. And let's take a look at this. We designed this perfectly by the book. We have our little logo in the top left corner. So we have our corporate identity. We have four short facts about fishing. We have a catchphrase, You fell into a trap and we have a short little video.
So what happened was this tempting email about the unused sick days and compensation that you can get intrigued the employees, they reached out to HR and they said, Hey, can you please give me help? I really want to be compensated for this. And the thing is, they had clicked, they were redirected to this, yet still they approached hr, they didn't even see it. Leave alone, register what is going on. So it just doesn't work because it's boring. But what can we do? What can we do differently? We need to make it shorter and more concise and to the point. Maybe something like this, Nope, you weren't supposed to click on that or I won't tell anyone, but next time, think before you click. And now let's imagine that these weren't just random faces that I found on shutter stock, but instead they're your ceo, they're your ciso, they're your team leader. Wouldn't that grab your attention and create the aha effect that we're all going for?
So what's our solution? We are constantly trying to engage our employees and to involve them. I'm pretty sure most of you probably have heard about the little cycle of inform, involve, inspire. But how do you actually do that for awareness? Informing is easy. There's so many different ways. All these beautiful tools that we can find on the market. Alerts, posters, e-learning modules, audits, workshops, the list is long. But if there's so many different ways, then why is the desired message still not received? Because we put our company in focus understandably so, we gotta involve them and make them understand that information security doesn't end when they lock their office door at the end of the day and go home. It follows them everywhere. So what if we involve them by telling them Uber was hacked last month. Please check your alerts, change your password and enable multifactor authentication to protect yourself. What if we told them about the latest DHL scam and that it's, it's a threat to them. And the easiest way of involving people is to simply ask them, create a survey. Ask them what did you like, which awareness measures were good for you?
So they approach you to ultimately inspire them. So they share their ideas. So they approach you and so they live your measures. And then in the end you gotta wrap that up with like nice incentives. And they're, I guess talking to other people from the industry. The opinions differ a little bit. Some people go with a wall of fame and others go with a wall of shame kind of approach. I personally believe that a wall of shame approach is not the right way to go because again, they already don't like us. We're the ones that compromise their comfort for security. But what we really need is we need them to trust us. So they approach us when something does go wrong and they share with us. So I'm more in favor of a wall of fame approach where you recognize good behavior, you give them incentives for it, you reward them and this will ultimately also create a good kind of competitiveness.
So with this fishing campaign that I was just talking about from last year, we started with individual rewards. We asked the employees to report these emails to us and whoever reported the, the, the most of them correctly won a voucher for a five star hotel a weekend away. Which was nice, but it wasn't quite working cuz in the next cycle we started introducing a team reward for the team that had reported the, the most phishing emails correctly to us. And it created competitiveness. There were channels opened up in our company, employees giving each others heads up, heads up to say like, Hey, I got this email, Be be aware reported too. And this is spreading awareness.
So how did we engage staff? We had this idea, which was, to be perfectly honest, born out of necessity. We are ISO 27,001 certified. And just like any company that has gone through this process can confirm the auditee starts sweating the most once the auditor gets up, starts walking around the premises. And I'm not just saying that because our auditor refuses to use the elevator in our seven story buildings. It's because the situation itself is unpredictable. You don't know, you got all your ducks in a row, all your little audits, all your documents perfectly under control, but then they sniff out that one employee that just doesn't know what's going on. And so we had seven weeks, we were no, we were no different in our readiness assessment, we got awareness as a weakness just like most people do. And so we had seven weeks we we thought, ah, what can we do?
How do we make this work? So we thought maybe we should role play, you know, certain situations, what are what is important in front of the departments. But since that was in the midst of covid that quickly put a stick into our wheel, nobody's gonna get themselves tested or whatever just to attend a meeting. And then we thought maybe let's do it on teams. Broad audience can reach a lot of people, but being honest to ourselves, everybody would just turn off their camera. Everybody would just mute themselves and do their emails just like we all do, right? And so we thought, how do we blow minds instead of milk brains? And we took this idea for role playing and we thought, why don't we create an awareness video ourselves? We have, we have the scenes, we have the scripts. All we need to do is pick some actors. And that's exactly what we did. We created this fun different and truly ego stroking experience because I mean, who wouldn't feel flattered if they got approached to say, Hey, I want you for my awareness video. So let's take a look at one of these scenes. In fast forward though,
It's
Susie's birthday. She comes to her office, sees her colleagues, have her
Desk nicely decorated.
She takes a picture to
Share it on social media
Cuz she's really excited about it. She
Puts her phone away, reads a little bit, and then 10 minutes later her phone doesn't stop beeping what is going on? And she takes another look at the image and she sees it. The phone is payments confidential information exposed too late. She deletes it, but there's no going back.
So wrap that up with a couple of interesting thoughts to tell them and, and create this, this moment because everybody can feel that, right? So this also, I, I don't know if you saw this, I'm particularly proud of that we had a balloon pop at the end of the scene because that's exactly what you feel like this, Oh my god, I did something wrong. What am I gonna do now? And so the takeaway of this is clearly a moment's carelessness can cause great resentment. Don't take pictures at your workplace. You may think that this is obvious and a given, but I mean, let's be honest, how many times have you witnessed this? Too many.
So what was our success? We made it personal, we made it fun. We got real people involved and we inspired our colleagues. We got good feedback from the participants, we got great feedback from everyone that watched. Everyone loved it because it's relatable. It's their offices, it's their colleagues and it's incredibly awkward situations that nobody wants to end up in. So we managed to engage them with this. And remember that weakness from the readiness assessment of our ISO certification, we turned it into a strength during our certification audit. Our auditor actually logged it as excellent awareness campaigns and technically technical implementation of those, which was wonderful. Let's talk a little bit about the, the process again. So how did, how did we get this right? We picked real life scenarios and real pain points. We made it fun and relatable and we chose the right key personalities from the organization, from different departments because those people are the perfect multiplier.
Who wouldn't talk about this? Hey, I was part of this awareness video, you should check it out. We actually, we, we asked the, the team leaders to, to watch this as like kind of a team event. And it's not long, you know, it was just a five minute video with like different little scenes that anybody can relate to. And the beauty of picking the right people is that information security is now no longer your mission, it's theirs. They will live it. They have lived through that. And trust me, a short scene like this, 30 seconds or whatever that was, takes like three hours to film. So this person had to endure a screw up living through a screw up over and over and over again. She's definitely never gonna do that again.
So our lessons learned are that there is no one size fits all solution for information security awareness, unfortunately within the, the cycle of inform, involve, inspire, informing is the easy part, but involving them, inspiring and incentivizing them in the right way is what really works. You gotta personalize your measures and, and go the extra mile. Remember when your employees are bored, they retain absolutely nothing. So make it fun. Information security is a serious topic. So we just gotta work on making it more fun down to earth, just more approachable so it isn't this scary thing anymore that nobody understands. And so maybe at the end we have an idea for next year already how to continue with this. Who here knows the American show, the office or the German equivalent Toback? Pretty sure everyone, even if you don't raise hand. So for the office, imagine an information security white troop in his volunteer deputies sheriff's office, finding a stray who be key on the floor floor, marking it with chalk, telling you a whole bunch of facts about use, be keys, the dangers of it, and maybe also passwords. Or for the Schroeck fans here, just, just imagine the classic schroeck not caring about passwords, getting into an awkward situation with their superiors. And then of course in the end, making some far-fetched comparison to something completely unrelatable. Anyways, that's the idea for next year. Thank you very much for your attention.
Thank you very much. I, that was, that was a fantastic presentation. I really enjoyed it. You delivered what you promised, you kept us entertained, you kept us engaged, so well done you and well done on your campaign. I think there's a lot to be learned there. And please, I'm sure there, there must be some questions from this audience to Lena to, to kind of learn from that great experience that, that she's just shared with us. If you've not got to a question to hand and you're thinking about that, the one thing you did a great job of telling us how to involve the, the people, but could you tell us a little bit more about the management side, getting that involved? I mean, I know you mentioned you had an IO certification, which is a great motivator, but generally, you know, what do you do on that side of things to get buy-in and support and so on? Because, you know, not, not all leaders, all business leaders are gonna buy, Well, we're gonna just take three hours out of our day and, and have fun making a crazy video.
Oh, we did, We had, I mean, all the people in our videos are, are leaders because they, they understand that it's important. We constantly inform everyone about what is going on in the world. Also sharing like incidents that happen to other companies, like even third party breaches and all that stuff. And so they're, they're very willing. And like I said, this is like a, a fun and different experience and we haven't had any issues with that.
Well, you're, you're lucky that you don't have to sell it or sell too hard. So if there are no questions in the room, please thank Kalina very much once again. And yeah, and join us for, for for lunch and I'll see you back here for the leadership track at two o'clock.