Going Beyond Compliance to Build a Culture of Security
Maru Group is an international organization with employees from Buenos Aries to Vancouver working with many of the world’s leading brands. With the increasing amount of cyber attacks, especially coronavirus phishing scams, plus the need to maintain compliance requirements, security awareness training was a must-have.
In this case study with Senior Security Analyst, Omar Parbudin, learn firsthand about:
- Why they decided as an organization to pursue ISO certification and how they rolled out their security awareness program
- Ways to overcame initial objections from employees not wanting to do security training
- How they use Curricula with DeeDee as their cyber security culture leader
The good thing about Curricula is everyone is loving it. We love DeeDee. We try to sneak her in wherever we can as part of our security awareness training routine.
Like many information technology leaders, Omar was not the original decision-maker for his security awareness training software. Omar started at Maru as a help desk assistant and then grew with the organization as they scaled, acquiring multiple companies along the way.
As a growing organization, there was a big push forward for the company to obtain its ISO certification. One of those criteria is to have a security training program for employees. Since Omar had some experience in security awareness, he said he took ownership of the platform as Curricula’s administrator and ran with it.
The Main Benefits of Using Curricula
In addition to the necessity of having security training to check the box for compliance requirements, Omar cited another important reason that with phishing scams increasing by the bucketload, he understood how essential it was for his team to run phishing simulations along with Curricula’s animated training content.
“It’s a great, fun approach to learning that encourages education,” Omar said. “I knew we had this tool and had to push it.”
When it came time to roll out Curricula to their employees, Omar explained there was some initial pushback from the executive team all the way down to the end-users. “Employees said things like, ‘we don’t have time’ or ‘we’re too busy,’” Omar explained. “But once everyone in the company tried Curricula, they loved it!”
Ongoing Security Awareness Training
Building a culture of security means having a continuous program and recurring training schedule with new content consistently being delivered to employees. Omar explained that in addition to running the simulated phishing email tests, they send about 10 episodes a year. “We nix two high-volume months when people are on vacation,” he said.
Prior to sending out the new episode, they do an internal phishing campaign prior to set a baseline of where employees are in terms of security awareness.
“It’s a good way to show to our executives how this can compromise our organization. If I can catch them in a fake phishing simulation, imagine a real cyber attack.”
To tie it together, Omar and his team schedule their security training episodes on a quarterly basis. Additionally, they also review the tickets that come in from their Help Desk team — such as if people are remembering to change their passwords or need the help of IT — so based on what their users were saying, the security team could pick an episode tailored to this training need.
“We always try to map out where this is all coming from,” Omar said. “The episode on gift card scams is a lot like what we’re actually dealing with in real life.”
From Curricula’s episode on Gift Card Scams — check out our library of security awareness training topics.
Security awareness training is not a one-and-done presentation. To truly have a culture of preparedness with employees who are on high alert to stop a potential phishing attack, IT needs to work in tandem with organizational leadership.
Omar and his team were successful in aligning everyone around the importance of doing cyber security training, then continuing to deliver content that kept employees engaged while also testing their likelihood to click on a suspicious email.
With DeeDee as their “sidekick”, the IT team at Maru has a strategy to bring everything together and create a culture of security.