According to IBM’s 2018 Cost of a Data Breach study, 27% of incidents it recorded were due to human error. To drive more secure behaviors and thinking amongst the employees outside the security function, and ideally reduce some of those human error-related breaches, a number of organizations are increasing efforts to raise education and awareness around security within the business to embed security in the company culture.
To reduce human error, Tui – a leading holiday group which serves over 27 million customers on vacation every year – has rolled out its own security awareness program to harness the creativity and energy of its non-security employees to spread the gospel of good cyber hygiene.
Take security back to your department, and back home
At the outset of its awareness program, Tui had a set of core ideas that it wanted to use as a base for informing the rest of the business:
- Make security instinctual.
- Make security relatable at home.
- Help the business understand their responsibilities and roles around securing their data.
“We naturally understand that we need to secure our homes, or to avoid poorly lit and lonely places at night,” says Matt Broomhall, CISO at TUI Group. “Cybercrime is just a new category of crime, and society has not developed the instincts to protect itself against cybercrime in the same way as other of types of crimes.”
To help develop those instincts, Tui – which has thousands of stores across Europe and hundreds of hotels globally plus aircraft and cruise ships – has rolled out a company-wide security education and awareness campaign to “make information security part of everyone's life”, both at work and in their home life. That home and work viewpoint is an important part of the company’s thinking around the program, as good security behaviors in the personal realm will help protect the company as well as make it an easier sell when it comes to messaging.
“A good awareness program is about trying to make people more aware about how certain activities online come with risks to personal safety, and trying to develop those unconscious instincts so that security behaviors are naturally done like you would put a seatbelt on or lock your door as you leave the house,” says Broomhall. “If they're instinctive, those same behaviors will protect the company.”
“It's more powerful to appeal to a message of helping you protect yourself and your family at home. People can relate with the idea of wanting to protect their children or to not have their photos stolen in a ransomware attack.”
Another core part of Tui’s security awareness program is to drill home that idea that information security is not the job of the information security team, but a joint responsibility each part of the business needs to own. “The infosec team are advisors to the rest of the business; security is part of everybody's job. If you start with that idea and tap into all other departments, it develops the buy-in,” Broomhall says. “If you are the HR director, you are responsible for making sure that employee data is securely processed. The security team is trying to make sure that the responsibility sits with the right people.”
Broomhall says he has been pushing this point by explaining that information is just another type of resource that you use to drive a commercial outcome, in the same way businesses use people, money, or physical equipment to drive commercial outcomes, and each comes with their own accepted set of responsibilities.
“Everybody knows that if you have a team of people, then a number of HR responsibilities come with that. You have to develop them, manage performance, set objectives etc,” Broomhall says. “It's the same with information. You need to make sure it's processed security, understand what regulations might apply to that information type, ensure that it's appropriately secured, and so on. The security team that provides you with tools and helps you with advice on how to properly secure it. But in the end, those responsibilities are yours.”
Creating a branded security awareness campaign
A positive message around security can be more effective than one of aggressive blame, and the Tui security team worked closely with other parts of the business to ensure the campaign's success.
“Together with marketing, we spent a lot of time on getting to the right tone of the campaign and the cultural fit,” Broomhall says, “and we had focus groups around it and things like that to make sure that it was going to land. We didn't leave much to chance.”
The first part of Tui’s awareness campaign was to create a new mascot to adorn promotional materials espousing the company’s core security principles. The campaign was led by Sol, a sun-shaped mascot designed in conjunction with the marketing team to accompany messages advocating good security, whether that’s thinking before you click on emails, protecting passwords, or keeping clear desks. The fact it was a feel-good sunshine character was an important and purposeful choice for the campaign.
“The character is friendly and fun and expressive, it's a brand that works in all geographies and in all languages. Think about your company culture and make it fit,” says Broomhall. “If we were to create a campaign with quite aggressive messages, it wouldn't work here.”
That messaging was rolled out across a whole range of channels: posters, onto people's computers, and digital screens around the offices. With it came a focus on one message at a time, initially phishing emails. Higher-risk parts of the business got more targeted messaging. Versions of Sol with messages in different languages were made for each of the 15 countries that the company operates in, and even beyond into some of its suppliers. It also adorns all manner of Tui-branded swag. “The Sol character and brand goes throughout our heart and policy and guidance framework,” says Broomhall
How to launch a security advisors program
In addition to the internal marketing campaign, the company also launched a volunteer Information Security Advisors network. The aim is to recruit one person in every department in every geographical location who helps spread the message and goals of the security awareness program and drive better behaviors.
“In every group that we visited someone’s eyes would light up when we spoke about security,” says Broomhall. “We realized that there are a lot of people with passion about this topic throughout the organization…. That is where our information security advisory program started.”
Launched in 2017, the network has around 70 people. Potential candidates needed to fill out a short form explaining why they wanted to be a security advisor and what they thought they'd bring to the role. Broomhall says this was to ensure those joining felt an achievement that they were picked to take part, rather than signing up to a mailing list. Selected advisors were reminded of the company’s “golden rules” around security and made aware of the key changes the security team were trying to drive. Beyond that, the advisors were told to think about security within their own sphere of influence.
“We want them to be influencing within the parts of the business that they come from, so we also ask them to think about the particular challenges in their department,” says Broomhall. “If they're from an HR team, then we want them to be thinking about the particular challenges of protecting employee data.”
The idea is to create a community of security advocates or champions, which act almost like first-aid representatives for cybersecurity, in each department. Instead of telling you how to lift with your knees or wear your high-vis jackets, they would remind you of the cybersecurity necessities. “People receive advice more easily from people that are already in their team then [they would from] people that they don't know very well from another team,” says Broomhall. “We give them a license to be creative, but we also have someone from the security team from that local market there with them to nudge them in directions.”
One example of that creativity was a competition for staff to design security messaging stickers, which resulted in the idea of combining sensitive skin and sensitive data. “Even though that's a great bit of additional swag, it's really about getting teams together to talk about security, be creative about security, think about the concepts, come up with metaphors and design something which makes them think,” says Broomhall.
One of the most visible creations by the advisor community was a video around physical security and social engineering that saw a threat actor make his way into one of the company offices through tailgating and asking people. The team created it on their own time and has since spread across the company. “They produced a professional quality level video because within the group of volunteers in that part of our business there was an expert in video production, an expert in digital content, and an expert in social media,” says Broomhall.
An example was a Valentine’s Day-themed event in one of the local offices, where the security advisor left heart-shaped chocolates of the desks of people who had failed to lock their computers while they were away, explaining their mistake. One person, who happened to be a member of the communications team, wrote a blog that was sent out internally explaining what the security advisor had done, and while pleased to receive chocolate, admitted it had reminded them to ensure they do lock their computer when away from the desk. “We've found that being positive and friendly is the best way to get to people's hearts,” says Broomhall.
Security awareness is a full-time job
Some companies are beginning to make dedicated hires for full-time security awareness staff. Broomhall says that rather than allocating security education and awareness to an existing member of the security team, the task should be a permanent, full-time, dedicated role. “It shouldn't be a side project,” he explains. “There's an urgency around quite a lot of security work that can mean that the awareness work would never quite as urgent as some of the other topics and therefore wouldn’t progress.”
Having it as a separate hire also means CSOs can have them as a senior member of the information security team, and therefore signify to the rest of the business the standing and importance of the role. It's also a completely different skill set that most within the security function may not be well-equipped for. Instead of understanding firewall configurations and security frameworks, awareness hires need to know more about Maslow's hierarchy of needs or the four stages of adult learning.
“It's not about technical information,” Broomhall says. “It's about organizational psychology, how to change behaviors, how to get communications messages right, how to appeal to the heart. I think that comes from a different profile of person.”
Whether searching internally or externally, Broomhall says CSOs should work closely with the HR team to find the right type of candidate with the right skillset. “It's quite likely that you will have someone already working in your organization with the right skills. If you've been driving any sort of change programs or transformational programs, you're likely to have people internally with the skills already.”
Best practices for security awareness programs
Broomhall says the advisor community is a force multiplier in terms of results compared to the time, cost, and effort put in. “Considering the relative size of investment to the relative kind of overall impact that it has,” he says, “I would almost argue that your awareness program is one of the most important projects within security. It also has an impact with stakeholders in many departments, and at senior levels because they see the campaign, and it makes it much easier to get their time.”
Broomhall has key advice for ensuring greater success around education and awareness schemes:
Make security awareness a full-time job: “A key critical success factor is to make it someone's full-time job who is entirely dedicated to this task and this task only; someone with high-level capability ideally with a psychological interest, rather than necessarily technical interests.”
Work closely with the rest of the business: “If we'd have gone away and created a campaign that didn't have the look of a professional quality and it didn't fit with our brand, then we would have had so much more difficulty in making it highly visible in our in our office space.” For the Sol campaign, the security team worked closely with marketing. For the advisors campaign, the security team had the support of the local CIOs. “Better to have those teams involved from the beginning and giving input than to try and bring them in at the end when you want to start publishing your stuff. That makes a big difference.”
Make the tone and theme fit your company culture: “A really important point is the cultural and thematic fit with our company. We're a holiday company and for us the sun character really resonates. That's something to really think about; how to make sure any awareness program fits in with the culture of the company.”
Connect to emotions: “People care about their families, usually more than they care about the organization that they work for. Yet the behaviors we’re trying to change are pretty much the same. Messages will resonate more if they think that this will help them protect their loved ones.”
Focus on changing one behavior at a time: “To change someone's behaviors and instincts it's always better to be banging the drum over and over about one thing until that's good enough and then switching on to the next one.” After an initial focus on phishing, Broomhall says the scheme is shifting to password management and encouraging greater use of password manager tools within the company.
Measurement is important: After the campaign focusing on phishing, the company saw the open rates of its phishing test email drop drastically. Measuring KPIs around specific behaviors allows you to quantify the impact of the awareness campaign. “Having a baseline click rate, having a target click rate was important. You need something hard to measure whether it's been successful.”