Branding infosec: Why security should consider its own internal advertising campaign

If you want coworkers to support security, the first thing Nick Hilderman suggests is a positive attitude. “Security is often focusing on the negative aspects of things — on what could happen, the fear, uncertainty and doubt,” he says. Hilderman is senior security analyst at Finning International, a Canada-based distributor of Caterpillar equipment that is two years into an infosec advertising campaign. This campaign doesn’t market to customers. It’s an internal push to help Finning’s non-tech employees understand how important cybersecurity is.

Finning has long educated employees in security best practices. Before 2016, that education focused heavily on phishing — and was ineffective: Employees clicked through at above-average rates.

The emails also built resentment against security. “People often do not like [phishing campaigns],” Hilderman explains, “They feel tricked; they feel manipulated; they feel like you’re trying to attack them.” People who are already doing their best “fall for it,” he continues, just to learn they were tricked by their own employer. The larger goal is good, but the approach is not. “We’re just trying to educate you and people hate it,” he says.

So, Finning’s CISO Suzie Smibert took a hard look at security education and, according to Hilderman, “said ‘Let’s build upon what’s good and let’s make it amazing.’” Then the two went to work: brightly colored posters in the halls, a video series on the company intranet, regularly delivered e-newsletters.

“We said, ‘We need to come up with this marketing gimmick where people will see our content,’” he continues, and see it they did. Two years later, phishing clicks are below industry average and 75 to 100 employees serve as volunteer security ambassadors — employees from other departments “delivering out content to different groups in the different regions,” he explains.

Hilderman says those who hated security now advocate for it: “These individuals are actually going around putting up the posters for us. They’re standing in front of their team meetings.” Ambassadors, he continues, are actually so enthusiastic about infosec that this year, Finning will award one lucky worker the title “security awareness ambassador champion.”

Reward good security behavior

Raising this level of support at your workplace all goes back to being positive. “When we first started our click rates were quite high,” he reiterates. “That’s a negative metric, but at the same time we could roll it into a positive one.” Say your company’s phishing emails get a 25 percent click-through rate. Instead of focusing on the colleagues who failed, consistently congratulate the 75 percent who didn’t. Hilderman says this technique has pushed Finning’s phishing stat “well under the average failure rates for campaigns, and it didn’t take us that long to get there, so again it was that message of not highlighting the negative results but then showing the positive of it.”

When employees catch real phishing scams, congratulate them. Finning’s corporate controller recently received a scam email, but let security know immediately. Then, Hilderman says, security told everyone else: “[We] said, ‘Look at this. Our user, our corporate controller received this posing to be our CFO and CEO and he recognized it, and had he not recognized this, this could have cost us upwards of $300,000 to $400,000.’” The controller was lauded as a company hero, he continues, credited with having “stopped the attack before it even happened.”

Finning then took the congrats one step further and celebrated the controller’s success in a video, which serves as content for the company’s larger security marketing campaign. “We had our CISO on the same video just to talk about the importance of why this exists, and then we got it out to the masses and it was just an incredible thing,” Hilderman explains. “We want to show that our people are doing the right thing…Through that, people will start showing up, right? People will start doing the right thing.”

A consistent, adaptable approach to security education

Of course, it’s easier to do the right thing when you know what that is. Phishing employees to see what they’ll fall for is unfair if staff aren’t already aware of best practices. Infosec has a lot to cover, so Finning’s posters and employee newsletters choose a new topic to focus on each month, like online shopping safety or tax scam awareness.

Just like a magazine, security drafts an editorial calendar where issues are planned. Hilderman stresses that topics stay “adaptable” in case a major breach or vulnerability makes the news. Facebook/Cambridge Analytica, for example, is a hot topic he’s looking to address — specifically “tips on how to remove disclosure of your personal information online or secure it.”

To ensure information gets to all employees, Finning translates the newsletters into Spanish for the company’s South American locations. Translation isn’t easy, Hilderman admits, but the effort’s worth it: The controller who alerted security to the $300,000-plus scam speaks Spanish.

Working for a distributor of manufactured goods, Hilderman says, “Online security and online safety are often very much the same thing.” Advanced manufacturing is very different from traditional manufacturing where machines had to be replaced every time a new part was needed.

Today workers simply reconfigure a machine’s software so it can make something else. “We’re connecting machinery online,” Hilderman says, so Finning doesn’t just have to prevent data breaches, but also “physical safety risks” that could come from someone hacking company equipment: “We want to teach people to secure their information, their accounts, build strong passwords, watch what’s happening, because something as simple as a weak password could all of a sudden unlock the brakes of a machine.”

 “One of the first things I do when I come into a company is find their key values,” Hilderman advises, “What’s important to the company?” For manufacturers, that’s usually safety, so at Finning, that’s where security found a niche to prove value to corporate operations as a whole. When cybersecurity is intrinsic to core business functions, employees can better understand its importance. “[Security’s] message is easy to get. It’s the delivery and how to present it is what the challenge is,” Hilderman says.