With more than 1700 employees, operating across multiple sites, the professional services organisation recognised that a proactive approach was required to better manage the risks arising from the increasing number of malicious phishing and spam emails employees were receiving and the threat this posed to sensitive data. Having recently combatted ransomware, the organisation wanted to prevent future, avoidable, situations that can lead to costly and time-consuming remediation.
The Chief Information Officer (CIO) already had technical controls in place, to protect employees, but recognised that, while prior cybersecurity education had achieved a small improvement, cybersecure behaviour was not sustained and employees lacked confidence in their abilities to recognise and respond to malicious emails. This was impacting regular work duties and instead of employees confidently deleting malicious emails, they were sending increasing volumes to the IT department.
“We were looking for an ongoing, effective solution because we’ve seen a lot of phishing activities coming to our business, due to the nature of the services we provide,” said the CIO.
Knowing that real change takes more than a single educational session, the organisation began researching more creative ways to teach cybersecure behaviours. Seeking a solution that would engage, educate and reinforce cybersecure behaviours, over a sustained period of time, the organisation took an innovative step towards social engineering and explored a number of providers who offered more than just a static training experience. They concluded that the opportunity to test, revisit areas requiring improvement and support and develop employees’ cybersecurity knowledge, long term, was a key requirement and outweighed the ‘quick fix’ promises some training suppliers were offering.
“We were looking for something to make this a lot more real and less theoretical…” said the CIO.