How the introduction of Security Buddy increased users' cyber literacy by 25%

Who is Security Buddy

Most likely, you are familiar with the approach in HR: each new employee is assigned a buddy for the adaptation period, who introduces them to the team, answers questions about the company, and shows them a place where they can drink delicious coffee. Our hero performs the same role, only in the context of information security.

I think it's worth explaining the difference with another popular role – Security Champions. “Champions” are members of the development, DevSecOps and AppSec teams. They formulate and implement the concept of safe development. However, in any company there are other important teams: sales, marketing, analytics, HR, etc. Security Buddy will come to their aid, bringing the culture of information security to the masses, regardless of the department. In order for buddies to know the specifics of each process in the company and be “one of their own,” their representative must be in every team, and not just in development – this is one of the key differences from Security Champions.

Security Buddy does not replace information security service and technical support. The main task of a buddy is mentoring and educational activities on information security issues within the company. Without “coercion”, without importunity – mainly thanks to networking.

And it works – our buddies are contacted on many issues. For example: “What are the information security requirements in the company and where can they be found?”, “Can I use my own flash drive?”, “Is it permissible to send this file to my personal email?”, “Is this phishing or not? What do we have to do?”.

These are the questions for which the employee most likely will not be able to Google the answers, and will be embarrassed to find out through official channels – after all, he took a course in cyber literacy and seems to know everything.

What difficulties have we encountered?

Our first difficulties arose at the stage of forming the Security Buddy team. This activity is not specified in the job description. You can appoint a person from the position of “I am the boss.” But the effect from performers “for show” will be near-zero. We need charged, proactive colleagues who are ready to share their energy and knowledge with others and get a real buzz from it. How to find and motivate them?

We attracted the attention of our colleagues to the problem of information security, told them about our innovation, found volunteers to participate in our experiment and conducted a selection process. To further motivate our buddies, we offered them external training in any area of ​​information security at the company’s expense, and also provided them with participation as speakers and spectators at events. As an additional bonus, our buddies receive cool merch created especially for them (special thanks to our colleagues from marketing and HR for assistance in implementation). And don’t forget about the intangible reward – gratitude from colleagues.

What's the result?

Let's get to the most interesting part – the results. Was the game worth the candle? Definitely yes! We have results for the first quarter, some of which we can share:

  • the number of employees who successfully completed cyber training increased by 24% compared to the same period before the introduction of the buddy. By the way, we recommend conducting cyber exercises at least once every three months, otherwise the vigilance of employees gradually decreases

  • On average, 9 people access Security Buddy every day. And this is on a clear sunny day. During a cyber exercise, Security Buddy may be accessed more than 40 times. This means that in the event of a real cyber incident, the user will also turn to the buddy, which will increase the likelihood of repelling a cyber attack

  • users have become more active in reporting letters with signs of phishing to the SOC. Although these messages are not necessarily from criminals, employees want to make sure they are safe.

  • Every employee of our company knows what Security Awareness means and why it is important for all of us

In addition, buddies regularly provide CISO with operational feedback “from the field” – and we improve protection digital assets company, taking into account the peculiarities of work processes. Even if the processes in an organization are streamlined, a habit may emerge that contradicts modern information security requirements. For example, someone transfers files to contractors via an external cloud. If the data is not confidential, the DLP system will not raise an alarm, but in the future such a habit may lead to a leak; it will be safer to transfer this process to the corporate cloud. Buddy can highlight such risks early on.

It is important that information security requirements are not always comfortable and can cause irritation and discomfort among users, and Security Buddy is cyber security “with a human face.” Such an employee explains information security rules in simple language and encourages colleagues to be loyal to the need to comply with them. The tricks of attackers are becoming a regular topic of conversation, and the detection of a phishing email is a subject of competition to see who will be the first to notice and forward it to the information security service or Security Buddy. As a result, employees are always on alert. Together with other cyber defense tools, the implementation of the Security Buddy role allows you to minimize the likelihood of a successful cyber attack, because it eliminates one of the main factors – human error.

There is still a lot of work ahead of us: Security Awareness is a continuous process, there is no finish line. We are always looking for new ideas and approaches that help us improve the cyber literacy of our employees.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *