Lights, camera, action! Making information security memorable and fun

Stay true to your organisation’s culture as you tell your story; engage your people with relevant yet informal messages to promote and embed positive change.

[maybe-frm-field-value field_id=4685 user_id=current entry=7356 equals=”Anonymous during judging stage”]

Information Security award entry for the “[4721]” category

[/maybe-frm-field-value] [maybe-frm-field-value field_id=4685 user_id=current entry=7356 not_equal=”Anonymous during judging stage”]

Information Security award entry from for the “[4721]” category

[/maybe-frm-field-value]

This competition entry is for our achievements in capturing and maintaining the interest and attention of both internal employees and fellow professionals across the housing sector.

Our story

Catalyst Housing  is one of the leading housing associations in London and the South East. We provide more than 21,000 homes, through both rental and home ownership opportunities. We provide a wide range of housing solutions and community development initiatives, working closely with residents and partners to meet local needs.

  • Catalyst’s leadership recognised the need to improve its information security posture and in 2014 employed Adrian Leung, Head of Information Security as its first dedicated resource. Adrian instigated a comprehensive security programme covering the full range of people, policy and technological elements required to enhance Catalyst’s information security maturity
  • It is well recognised that the actions of well-meaning employees account for a large percentage of security breaches. By recognising this fact and making knowledge and awareness activities a central strand of its security programme, Catalyst is looking to turn a weak link into an important first line of defence
  • Our approach is to encourage colleagues to adjust their behaviour by winning hearts and minds. We favour this approach over change driven by compliance alone as engaged employees are likely to maintain a higher level of ongoing awareness.
  • Each year, Catalyst holds a summer conference to bring all its employees together (circa 700 people). The conference is an important platform for communicating new and ongoing strategic messages. The primary channel on offer for delivering these messages is through video or, on occasion, activities in a ‘marketplace’ setting. We have used these annual opportunities to help us deliver on our objectives, to:
    • Promote and embed good information security behaviours
    • Position the Information Security team as friendly and accessible, and the subject as interesting, relevant and important – even fun – both at work and at home
    • Heighten engagement in information security (demonstrated through incident reporting, asking questions, attending workshops)
    • Increase assurance that our people will maintain continual awareness, will question potential threats and will have the confidence to report incidents quickly
    • Maintain a sustained focus over the long term

Our sector is not-for-profit, and while it does include some larger players there are also many small organisations for whom resourcing an information security function is a considerable challenge. Catalyst’s Head of Information Security has identified that the recognition of security as a strategic priority is generally immature throughout the sector. To help raise the profile of security within housing associations he has sought to provide sector specific networking opportunities (through the creation of the Housing Security and Privacy Forum), to enable and promote discussion, and to share experiences and good practice.

 

 

[pdf-embedder url=”https://thepeerawards.com/wp-content/uploads/formidable/198/Catalyst-security-awareness-images.pdf”]

A. Internal impact

  • We have seen increased engagement from colleagues across the business, demonstrated by:
    • The number of security related incidents reported (in particular, suspicious emails)
    • The number of issues and queries that colleagues are raising
    • Levels of participation in security related workshops (such as our phishing workshops and briefings on Wannacry)
  • In 2016, the Hackers Paradise video [attached above] brought the house down, and was acknowledged by our CEO and many others as the highlight of the day. We continue to use the video as part of our induction programme.
  • Over a two year period, our click rate in phishing exercises has reduced from 33% to 11%

B. Externally

Our Head of Information Security, Adrian Leung is the founder of a Housing Security and Privacy Forum and a regularly speaks at security related conferences and events. Whilst branded to Catalyst, the videos are relevant and reusable – either as-is or as a source for inspiration – by other organisations in the social housing sector.

  • Adrian has shown our videos at a number of conferences and events where he has been a speaker.
  • At least 10 other organisations from the housing sector have requested us to share one or more videos for use within their organisation.

A. Creating a visual identity and engagement style

  • With the help of a third party, we developed a visual identity and communication assets. The information security wolf, in various postures, has been a core part of our campaign’s visual identity, has been incorporated into all our videos, activities and resources.
  • Catalyst has a vibrant, diverse and informal culture, and we have kept this in mind when designing engagement materials.

B. Programme launch (2014) – Our journey from ‘good to great’ video

  • This was Information Security’s first exposure at our summer conference, and the team persuaded the organisers to incorporate a security time slot within the day.
  • The video was tied to Catalyst’s corporate theme of the time ‘good to great’ and illustrated how changes to the amount of data we handle, and the way that we handle it, made information security critical to our success

C. Introducing messages/behaviours (2014-2015) – leaflets, briefings, banners and workshops [please see PDF attached to entry description]

  • We developed a series of 6 easily remembered security habits, which we introduced through a series of quarterly campaigns.
  • Each topic was supported by a presentation and concertina leaflet
  • We used pull-up banners around our offices to heighten awareness
  • We supported our ‘Question It’ topic with ‘security at home’ workshops

D. Engagement year 1 (2015) – Shoot the wolf activity

Our 2015 conference included a ‘marketplace’ element, and our objective was to reinforce awareness of our 6 security habits in in a fresh new way that would allow our people to engage with Information Security team members in a fun and informal setting.

  • We built a shooting target game based on our wolf character and security habits
  • Employees were invited to shoot at the targets with a Nerf gun and to participate in a simple quiz
  • Those who were successful were rewarded with sweets

E. Focus on phishing (2016-2017)

With increasing instances of phishing emails, along with a ransomware attack, we placed a good deal of emphasis on our ‘Question It’ habit and helping people to identify emails and links that could be malicious.

  • We have run five phishing exercises to date, where colleagues are sent a simulated phishing email. Through analysis and reporting we identify the number of colleagues who report the email, click the link or enter their credentials.
  • To facilitate the fifth exercise, we created an in-house tool which now enables us to run such exercises without the need to engage an external third party.
  • Following each exercise, colleagues who interacted with the email are invited to attend a phishing workshop, where phishing techniques are explained and tips are provided on spotting suspicious emails and links. These workshops are just as relevant to colleagues in their home lives as they are to work.

F. Engagement year 2 (2016) – Hackers Paradise music video [attached to Impact section]

As there was no marketplace in the 2016 conference, we secured a time slot to deliver a video, with limited centrally held resources to create it. We wanted to engage our people with something fun, memorable and relevant.

  • Inspired by an animation on YouTube, our team took up the challenge of creating a music video – a parody of Gangsta’s Paradise entitled Hackers Paradise.
  • A member of our team, with no songwriting experience, wrote lyrics incorporating our information security habits and created a storyboard for the video.
  • We auditioned colleagues from across the business to be vocalists and actors in the video, and included a role for our CEO
  • Using budget from the security programme, we engaged a third party to record/produce the video

G. Engagement year 3 (2017) – Tom’s dream holiday

The following year, we had no need to request an opportunity to be part of the conference. Instead, perhaps as a consequence of our success in 2016, we were actively invited to create a video, and were offered internal resources for its production.

In 2016, we had shown that education on identifying phishing emails was needed. We had also been the victim of a ransomware. We therefore wanted to emphasise the threat presented by phishing emails and the importance of reporting incidents quickly to enable damage limitation.

  • Again, we presented the story in an engaging way – this time as an animation.
  • In the opening frames of the video we created visual link with Hackers Paradise by having our lead character (our Executive Director of Property and Growth) listen to music as he approached the office building.
  • All animated characters were recognisable as Catalyst employees

The attached PDF [in the entry description section] includes sample images illustrating various aspects of our awareness campaigns.

·       Find a visual identity for your programme that will readily transition between the topics you will cover and the various media/channels you may want to use.

·       Stay true to your organisations’s culture, language and strategic themes.

·       Tell your story through your people. It makes it more relevant, and makes your campaigns more memorable.

·       Use carrots, not sticks. By answering the question ‘what’s in it for me’ you will be able to bring about positive and sustained change.

·       Look to incorporate senior leaders informally and with humour, as an engaging way of implicitly demonstrating their commitment.