Brightspot CIO, David Habib, found that by making security fun, he could build the most important security solution possible: a human firewall.
At Brightspot, we provide a Content Management System (CMS), and expert services to help global brands power their digital content experiences. Security is not just a checkbox for Brightspot, it’s core to our organization and spans people, process, tooling, and infrastructure.
Creating security-awareness and vigilance against potential attacks can be challenging in a dynamic and high-energy company like Brightspot. When done right, however, one can build a security-first culture, and unlock the power of your greatest defense - your employees.
So where do you start?
Well, this is how we did it.
When we kicked off our company information security awareness campaign, I started where I always try to start: What risk to the business and our customers are we trying to address? The threats back then, as now, included an alarming increase in social engineering attacks.
It’s my firm belief that the human firewall is the most effective deterrent against social engineering, in all its nasty forms, so we embarked on an awareness campaign focused on:
- The nature of the risk to the company (our company’s confidential information, your own, and that of our customers all need to be protected)
- The obligation of all of us as parts of a human firewall (watch, listen, and share)
- The specific threat of social engineering, and why that threat matters to us (we work with a lot of contractors, customers, and new hires who are always asking questions and needing access, making us a more likely target for social engineering)
- How to spot it, avoid it, and report it, and report it
That was the easy part. The core outcomes for the campaign were set, but they could only be realized if we could rally our employees to pay attention to the campaign. I am not naive to the fact that the velocity and momentum of a culture like ours can make it challenging to introduce something new and have it stick (particularly something that can feel like bureaucracy, as in security training).
The Otter of the Week
Brightspot, like a lot of companies, is a very heavy user of Slack; the #general channel is our usual place for minor company-wide updates, kudos, and shenanigans. Every employee is there, and I am a frequent …contributor in that channel: so I started there with what I called the Otter of the Week. (Otters catch phish, you see).
The Otter of the Week was an employee recognition thing, where on Friday mornings I would announce that week’s Otter. “Congratulations to Laine, this week’s Otter of the Week.” In the same message, I would outline what Laine had done to deserve such an honor (“Laine brought to our attention a new vulnerability in iOS”) and why that was important (“many of us use our phones and tablets to store and manage personal and company information, which we should work hard to prevent from being compromised”).
Was it corny? Yes. Was it an obvious ploy for awareness? Definitely.
You know what happened? People started asking why they weren’t the Otter. They’d come find me or someone else on the team and explain what they had done, and why it warranted them being the Otter.
Think about that for a second; what better measure of an awareness campaign than having people explain it back to you?
What we did then was formalize the Otter. KnowBe4, a security awareness training platform we’ve used for years for our information security and HR training, has a simulated phishing feature – a feature I had adamantly resisted for years because I don’t like “trying to trick your colleagues” as a method for “trying to get your colleagues to help.” However, if we turned it into a game…
We set up a monthly contest where the person who reported the most phishing emails, either legitimate ones or our simulated ones, won a prize - a gift card, in fact. The Otter of the Month got a lot of (Slack) fanfare, and often we’d showcase the most absurd or most convincing phish as a bit of unsubtle education. We also introduced an Otterable Mention for folks who did good stuff related to security, but unrelated to phishing.
Here’s what we saw:
- A double-digit percentage increase in the number of reported phishing emails over a 60 day period - reporting that helped inform our email filtering.
- A change in our KnowBe4 “Phish-Prone percentage” score from below industry average to above
- So much increased chatter about infosec that we had to make it its own channel in Slack, which is still one of the most active channels we have.
- A community identification of an increase in smishing (text phishing) targeting new employees, and a community-led campaign, taking after the phishing one, to keep folks educated and entertained (“there’s no way Meredith would misspell a word in an email like this”).
- Heightened awareness among the community about where to go with security questions or concerns.
The rest, as they say, is history: the little otter emoji in Slack got replaced by our very own cuddly otter mascot (courtesy of our design team) named Otto. Otto went on to play the leading role in our amazing program manager’s now-legendary Cyber Security Awareness Month, on stickers, on posters, on tee-shirts. People love Otto, and they don’t mind if he’s bugging them about their security training.
None of this is to say that training, or message campaigns, or town hall meetings aren’t critical parts of an awareness campaign; they take work, they should be deliberate, and they have to be kept fresh. The chocolate coating of gamification, though, does make it go down easier.
We did have a few missteps along the way: First, not everyone wants to be publicly recognized, even for catching threats, so ask them first. Second, when your human firewall gets too good, and you need to crank up the difficulty of the simulations, people can get a little defensive and feel targeted. I go out of my way to announce when I fall for one of our simulated phishes (it’s happened a few times, I’ll admit) as an effort to underscore the one-team mentality.
Also we didn't do this, but I have to say: Don’t shame anyone. It’s counterproductive and will alienate the people you’re trying to reach.
By Dan Roberts