A large, well-established tech enterprise with over 10,000 employees is one of the latest companies to change their approach to security awareness training by delivering people-centric security training from Elevate Security. As a global enterprise, security is a priority, but rolling out security training across their offices has been a big challenge.
If my users like the training, and if they can use it in their day-to-day job, that’s a win. But with our existing security training, we had no way of measuring its effectiveness or what employees thought of it, and customizing training to different user groups was a completely manual and extensive process.
—Sr. Information Security Program Specialist, Elevate Security customer
For years, the company used a web-based security training tool, which involved 30-minute videos and questionnaires to grade comprehension. But year after year, users were making the same mistakes, like clicking on phishing links. Each year they’d create the training content, a process that involved working with many different stakeholders across the company. But once employees were on the system, the security team lost visibility. The only metrics they could see were checkmark completion rates. They had no sense of employees’ answers, how they liked the trainings, or any other insights that would be useful in developing a better security awareness program.
Once training was rolled out, many employees would forget to take it, or avoid taking it, meaning the security team had to follow up with various managers to notify them. Sometimes this required months of follow-up. And anytime they wanted to refresh their content, they’d be looking at a three to six-month long project, requiring a lot of person-hours that could have been put towards higher priority security projects. Even after developing new training, they had no way of knowing how effective it was.
Employee Feedback: The Wake-Up Call
“Our users didn’t like the security training we created because they didn’t think it was useful, informative, or respectful of their time,” explained the company’s security specialist. Half of their employees are technical, but the training they provided was far too basic. The security team realized that they needed advanced training for technical users and basic training for everyone else. Additionally, satellite offices didn’t get the same training experience as headquarters did, so the company needed a scalable solution that could give everyone the same experience — no matter the location.
Taking a Different Approach to Security Training: A Simulated Experience
The security team wanted something that would really catch the attention of their users. “When we first heard of Hacker’s Mind by Elevate Security, we liked that it actually taught users how hackers think and what the impact could be to them,” their security specialist said. “You can feel it in your skin during the game.” She added, “There is nothing like Hacker’s Mind on the market, so we jumped on it right away.”
Hackers’ Mind simulates real-life security experiences by putting employees into the mind of an attacker. A team-based gamified experience, Hacker’s Mind showed employees real news headlines with their company name in it, bringing the story to life. Users then discussed as a group why these attacks could be damaging to the company. This internalized the attack, bringing it from theory to reality. They then learned how attackers execute attacks like phishing, malware, tailgating, and social engineering, and why they’re so successful — often due to a lack of awareness.
From there, employees got to become the attackers by planning a real attack. Everyone in the room voted on which attack was the best, incentivizing them to truly put into practice what they learned and execute a practical plan. “We gave out what we call ‘Hacker’s Hoodies’ to the teams who won, and everyone else who participated got a t-shirt,” the company’s security specialist reported.
Employee Feedback: An Overwhelmingly Positive Affirmation
“People loved Hacker’s Mind!” the security specialist reported enthusiastically. The company rolled it out during a 3-day security training event, which included short talks and a happy hour where Hacker’s Mind was played. “After the first group played, they told everyone else about it and the next day attendance tripled — some even came back to play it again!”
“I’ve done a LOT of security training and I’ve never seen people come back again,” she continued. One employee even asked to lead an upcoming training session, as Hacker’s Mind can be led by anyone, not just a security employee. This is what makes Hacker’s Mind so scalable — as long as there is a security champion, it can be rolled out anywhere, and without the overhead of security staffing. “Within a few minutes, she was perfectly comfortable facilitating the training; it required only a bit of security knowledge to run.” Their long-term goal is to have a security champion in every office who can help to build the security culture and roll out Hacker’s Mind. “We want people to think of security as the most important thing in our company,” she said.
A Big Win for the Company’s Security Team
Being open-minded and taking a different approach to security awareness training paid off for this tech enterprise. “We saw a difference in the user experience, feedback from employees, and even the level of awareness we’re measuring,” explained their security specialist. In fact, after participating in Hacker’s Mind, employees were five times more likely to detect and report a phishing attack than those who didn’t go through the training. Not only was it fun for them to do, but it also had a measurable impact, too! “We’re trying to build a security culture that makes people think differently about security, not just to check a box,” she added.
“Hacker’s Mind has completely streamlined and scaled our training, our security team finally has the visibility and rapport we’ve needed, we can directly measure the results through phishing tests, and my job has become a whole lot easier,” the security specialist expressed. Since using Hacker’s Mind, their security team has learned where their users’ weaknesses are, which is helping them improve their training program. They can view real-time metrics right in Elevate Security’s admin dashboard, making it very easy to see the big picture.
“We can now deliver something that our users truly need and want,” she concluded.