Going Beyond Compliance to Build a Culture of SecurityMaru Group is an international organization with employees from Buenos Aries to Vancouver working with many of the world’s leading brands. With the increasing amount of cyber attacks, especially coronavirus phishing scams, plus the need to maintain compliance requirements, security awareness training was a must-have. In this case study with Senior Security Analyst, Omar Parbudin, learn firsthand about:
- Why they decided as an organization to pursue ISO certification and how they rolled out their security awareness program
- Ways to overcame initial objections from employees not wanting to do security training
- How they use Curricula with DeeDee as their cyber security culture leader
The good thing about Curricula is everyone is loving it. We love DeeDee. We try to sneak her in wherever we can as part of our security awareness routine.
The Main Benefits of Using CurriculaIn addition to the necessity of having security training to check the box for compliance requirements, Omar cited another important reason that with phishing scams increasing by the bucketload, he understood how essential it was for his team to run phishing simulations along with Curricula’s animated training content. “It’s a great, fun approach to learning that encourages education,” Omar said. “I knew we had this tool and had to push it.” When it came time to roll out Curricula to their employees, Omar explained there was some initial pushback from the executive team all the way down to the end-users. “Employees said things like, ‘we don’t have time’ or ‘we’re too busy,’” Omar explained. “But once everyone in the company tried Curricula, they loved it!”
Ongoing Security Awareness TrainingBuilding a culture of security means having a continuous program and recurring training schedule with new content consistently being delivered to employees. Omar explained that in addition to running the simulated phishing email tests, they send about 10 episodes a year. “We nix two high-volume months when people are on vacation,” he said. Prior to sending out the new episode, they do an internal phishing campaign prior to set a baseline of where employees are in terms of security awareness.
“It’s a good way to show to our executives how this can compromise our organization. If I can catch them in a fake phishing simulation, imagine a real cyber attack.”To tie it together, Omar and his team schedule their security training episodes on a quarterly basis. Additionally, they also review the tickets that come in from their Help Desk team — such as if people are remembering to change their passwords or need the help of IT — so based on what their users were saying, the security team could pick an episode tailored to this training need. “We always try to map out where this is all coming from,” Omar said. “The episode on gift card scams is a lot like what we’re actually dealing with in real life.”