• United States



by Anthony Caruana

AusCERT 2017 – Cyberheroes – saving your business one byte at a time

May 31, 20174 mins
Access ControlCareersData and Information Security

We have all say through the standard company training on cyber-security. It usually starts with an hour or two trapped in a packed seminar room, surrounded by colleagues pretending to take notes but really playing Words With Friends on their smartphones, followed by bad coffee and slightly stale pastries.

Peter Vanheck, from Central Queensland University wanted something different. Rather than the annual compliance-focussed “tick a box” training, he wanted to work with his team to develop an ongoing program that engaged the university community and made cybersecurity something everyone was aware of. But he wanted to do it in a more engaging way than traditional training.

During the 2017 AusCERT conference Vanheck how he did this with his team. By taking a multi-disciplinary approach, that used the skills of the broader CQUni community, he created a cyber awareness and education program that has transformed how people work at the university.

Vanheck’s journey in developing the Cyber Heroes program began with a request for him and his CIO to present on cybersecurity to the board. Sitting in the foyer, a few minutes before their presentation, it dawned on Vanheck that the presentation they had prepared was flawed. The problem wasn’t the content – it was the focus. They approached the presentation from a technical point of view.

“I was sitting there, going through the presentation in my mind. I looked at my CIO and said to him ‘I think we’ve got this wrong’”, said Vanheck.

Vanheck advocated a “human firewall”. The idea was to engage everyone at CQUni in cybersecurity. Despite doing everything they could from a technical level, Vanheck was still seeing issues created by people plugging infected USB drives and clicking links in emails. He knew people were the key.

“We needed something that was different. We needed something that was creative. We needed something that was simple. Something that would make a difference,” said Vanheck.

After several months of attending conferences and consulting with experts he knew he needed to look outside the traditional information security community. The creativity he wanted wasn’t something he saw in his IT workforce.

Realising he needed the most creative people he could find so he established relationships with other executives within CQUni. That lead him to working closely with marketing and other creative people.

“The buy-in I got from those people from this simple cybersecurity message made a real difference to the program”.

The program Vanheck embarked on wasn’t all smooth sailing. After investing time and money with an external marketing organisation, Vanheck abandoned the idea they brought to the table of a cybersecurity mascot personified in an octopus.

But he didn’t give up. He maintained a focus on specific, short messages that were important but needed a way to present those messages.

At the same time as coming across some simple posters that presented those messages, the blockbuster superhero movie, The Avengers, was released. And those ideas came together.

Vanheck developed the CQUni Cyber Heroes. The five heroes, each played by a member of the IT department who were more than happy to don lycra and wear costumes said Vanheck, each represented a part of the security infrastructure and were used to present simple messages in posters and short online videos.

This resonated with the CQUni community and resulted in a measurable benefit.

In the months preceding the introduction of the Cyber Heroes program, successful phishing email attacks numbered around 50 per month. That dropped to 15 in the first month after the program and, importantly, continued to fall to fewer than five – a level that has held for many months.

Vanheck said there were some important take home messages that came from the CQUni project. You need to find the most creative people you can, keep messages simple and use several types of media to engage people.

Make the program relevant and person to the people you are targeting and develop awareness training to accompany the creative campaign.

By collaborating widely you can inspire people he said. And by connecting with people across the organisation, Vanheck says he has made IT security part of the CQUni culture.