COVER STORY
and Ireland, and a team of around three
people, it was not logistically viable.
He started looking into cybersecurity
training software and demoed solutions
from two leading brands by asking
people from HR, finance and IT to try out
the different types of training and give
him their feedback.
Overwhelmingly, the trial users preferred
Wombat Security Technologies’ solution
because Wombat’s interactive, step-
by-step modules were more engaging
than the other company’s video-based
modules, which end users found overly
technical and hard to engage with at
their desk.
He said: “Our goal when we develop
training is to really make it as
approachable as possible. We didn’t
want them to be intimidated.”
Hield started implementing Wombat’s
solution in May and June 2017.
He began his first campaign by sending
an introductory email to everyone inviting
them to complete mandatory ‘security
essentials’ training, as well as letting
them know that they could try out other
optional training modules.
going unopened and blogs being
ignored, Hield said. This meant that
his team couldn’t truly demonstrate
that they were training their employees
and were therefore uncompliant with
regulations that required cybersecurity
training, like GDPR.
Hield then changed things up by giving
one-hour presentations to staff at
different sites, but many did not have
suitable locations where he could
train everyone at once. He then set up
smaller, interactive sessions, where he
trained six to eight people at once.
This was effective but with 5,500 IT
users across 400 plus sites in the UK
www.intelligentciso.com
|
Issue 09
In the first week, 1,200 modules were
completed, belonging to both the
compulsory and voluntary module set.
Hield gave the company three months to
complete the compulsory training and
with just a polite monthly reminder, 80%
of users completed the training.
He said he was pleased the department
leads acted as stakeholders during the
campaign, with many asking for a list of
names of those who hadn’t completed
training so that they could personally
incentivise them to do so.
Apart from the resounding success of
the compulsory campaign, Hield said
he was highly impressed with how
many end users completed voluntary
training – from June to December 4,120
voluntary modules were completed. 100
staff members even did every module
available. Mobile device cybersecurity
was a particularly popular voluntary topic.
The ROI of the
training has been
immense, with
the equivalent of
250 entire days
of training being
delivered.
Hield ran a mock phishing attack on his
users during Veolia’s internal Cyber and
Physical Security Week – 700 people
out of 5,300 email address targeted
clicked on a link within the email.
Because this number was already
relatively low, Hield decided to challenge
his users during the next mock phishing
test. He used an attachment-based
simulation and more corporate looking
emails – this saw more people falling for
the test who hadn’t before.
So, having identified the problem, he
applied an instant solution by planning
the next mandatory education model to
be ‘avoiding dangerous attachments’.
The ROI of the training has been
immense, with the equivalent of 250 entire
days of training being delivered between
June and October 2017 – an impressive
number considering that the modules only
take around 15 minutes to complete.
Hield presented Veolia UK and Ireland’s
cybersecurity training campaign to his
contemporaries at a global security
summit in France and they were blown
away – with Hield at the helm, the rest of
the organisation looks set to roll out this
high level of cybersecurity training and
awareness globally.
He added: “It also works well on the
phone – everything is mobile responsive.
We can see the main difference and it
ticks all the compliance boxes as well
which is important for us. It really works
for us.” u
53