Information Security award entry

This competition entry is for our achievements in capturing and maintaining the interest and attention of both internal employees and fellow professionals across the housing sector.

Our story

Catalyst Housing  is one of the leading housing associations in London and the South East. We provide more than 21,000 homes, through both rental and home ownership opportunities. We provide a wide range of housing solutions and community development initiatives, working closely with residents and partners to meet local needs.

  • Catalyst’s leadership recognised the need to improve its information security posture and in 2014 employed Adrian Leung, Head of Information Security as its first dedicated resource. Adrian instigated a comprehensive security programme covering the full range of people, policy and technological elements required to enhance Catalyst’s information security maturity
  • It is well recognised that the actions of well-meaning employees account for a large percentage of security breaches. By recognising this fact and making knowledge and awareness activities a central strand of its security programme, Catalyst is looking to turn a weak link into an important first line of defence
  • Our approach is to encourage colleagues to adjust their behaviour by winning hearts and minds. We favour this approach over change driven by compliance alone as engaged employees are likely to maintain a higher level of ongoing awareness.
  • Each year, Catalyst holds a summer conference to bring all its employees together (circa 700 people). The conference is an important platform for communicating new and ongoing strategic messages. The primary channel on offer for delivering these messages is through video or, on occasion, activities in a ‘marketplace’ setting. We have used these annual opportunities to help us deliver on our objectives, to:
    • Promote and embed good information security behaviours
    • Position the Information Security team as friendly and accessible, and the subject as interesting, relevant and important – even fun – both at work and at home
    • Heighten engagement in information security (demonstrated through incident reporting, asking questions, attending workshops)
    • Increase assurance that our people will maintain continual awareness, will question potential threats and will have the confidence to report incidents quickly
    • Maintain a sustained focus over the long term

Our sector is not-for-profit, and while it does include some larger players there are also many small organisations for whom resourcing an information security function is a considerable challenge. Catalyst’s Head of Information Security has identified that the recognition of security as a strategic priority is generally immature throughout the sector. To help raise the profile of security within housing associations he has sought to provide sector specific networking opportunities (through the creation of the Housing Security and Privacy Forum), to enable and promote discussion, and to share experiences and good practice.

 

 

[pdf-embedder url=”https://thepeerawards.com/wp-content/uploads/formidable/198/Catalyst-security-awareness-images.pdf”]

A. Internal impact

  • We have seen increased engagement from colleagues across the business, demonstrated by:
    • The number of security related incidents reported (in particular, suspicious emails)
    • The number of issues and queries that colleagues are raising
    • Levels of participation in security related workshops (such as our phishing workshops and briefings on Wannacry)
  • In 2016, the Hackers Paradise video [attached above] brought the house down, and was acknowledged by our CEO and many others as the highlight of the day. We continue to use the video as part of our induction programme.
  • Over a two year period, our click rate in phishing exercises has reduced from 33% to 11%

B. Externally

Our Head of Information Security, Adrian Leung is the founder of a Housing Security and Privacy Forum and a regularly speaks at security related conferences and events. Whilst branded to Catalyst, the videos are relevant and reusable – either as-is or as a source for inspiration – by other organisations in the social housing sector.

  • Adrian has shown our videos at a number of conferences and events where he has been a speaker.
  • At least 10 other organisations from the housing sector have requested us to share one or more videos for use within their organisation.

A. Creating a visual identity and engagement style

  • With the help of a third party, we developed a visual identity and communication assets. The information security wolf, in various postures, has been a core part of our campaign’s visual identity, has been incorporated into all our videos, activities and resources.
  • Catalyst has a vibrant, diverse and informal culture, and we have kept this in mind when designing engagement materials.

B. Programme launch (2014) – Our journey from ‘good to great’ video

  • This was Information Security’s first exposure at our summer conference, and the team persuaded the organisers to incorporate a security time slot within the day.
  • The video was tied to Catalyst’s corporate theme of the time ‘good to great’ and illustrated how changes to the amount of data we handle, and the way that we handle it, made information security critical to our success

C. Introducing messages/behaviours (2014-2015) – leaflets, briefings, banners and workshops [please see PDF attached to entry description]

  • We developed a series of 6 easily remembered security habits, which we introduced through a series of quarterly campaigns.
  • Each topic was supported by a presentation and concertina leaflet
  • We used pull-up banners around our offices to heighten awareness
  • We supported our ‘Question It’ topic with ‘security at home’ workshops

D. Engagement year 1 (2015) – Shoot the wolf activity

Our 2015 conference included a ‘marketplace’ element, and our objective was to reinforce awareness of our 6 security habits in in a fresh new way that would allow our people to engage with Information Security team members in a fun and informal setting.

  • We built a shooting target game based on our wolf character and security habits
  • Employees were invited to shoot at the targets with a Nerf gun and to participate in a simple quiz
  • Those who were successful were rewarded with sweets

E. Focus on phishing (2016-2017)

With increasing instances of phishing emails, along with a ransomware attack, we placed a good deal of emphasis on our ‘Question It’ habit and helping people to identify emails and links that could be malicious.

  • We have run five phishing exercises to date, where colleagues are sent a simulated phishing email. Through analysis and reporting we identify the number of colleagues who report the email, click the link or enter their credentials.
  • To facilitate the fifth exercise, we created an in-house tool which now enables us to run such exercises without the need to engage an external third party.
  • Following each exercise, colleagues who interacted with the email are invited to attend a phishing workshop, where phishing techniques are explained and tips are provided on spotting suspicious emails and links. These workshops are just as relevant to colleagues in their home lives as they are to work.

F. Engagement year 2 (2016) – Hackers Paradise music video [attached to Impact section]

As there was no marketplace in the 2016 conference, we secured a time slot to deliver a video, with limited centrally held resources to create it. We wanted to engage our people with something fun, memorable and relevant.

  • Inspired by an animation on YouTube, our team took up the challenge of creating a music video – a parody of Gangsta’s Paradise entitled Hackers Paradise.
  • A member of our team, with no songwriting experience, wrote lyrics incorporating our information security habits and created a storyboard for the video.
  • We auditioned colleagues from across the business to be vocalists and actors in the video, and included a role for our CEO
  • Using budget from the security programme, we engaged a third party to record/produce the video

G. Engagement year 3 (2017) – Tom’s dream holiday

The following year, we had no need to request an opportunity to be part of the conference. Instead, perhaps as a consequence of our success in 2016, we were actively invited to create a video, and were offered internal resources for its production.

In 2016, we had shown that education on identifying phishing emails was needed. We had also been the victim of a ransomware. We therefore wanted to emphasise the threat presented by phishing emails and the importance of reporting incidents quickly to enable damage limitation.

  • Again, we presented the story in an engaging way – this time as an animation.
  • In the opening frames of the video we created visual link with Hackers Paradise by having our lead character (our Executive Director of Property and Growth) listen to music as he approached the office building.
  • All animated characters were recognisable as Catalyst employees

The attached PDF [in the entry description section] includes sample images illustrating various aspects of our awareness campaigns.

·       Find a visual identity for your programme that will readily transition between the topics you will cover and the various media/channels you may want to use.

·       Stay true to your organisations’s culture, language and strategic themes.

·       Tell your story through your people. It makes it more relevant, and makes your campaigns more memorable.

·       Use carrots, not sticks. By answering the question ‘what’s in it for me’ you will be able to bring about positive and sustained change.

·       Look to incorporate senior leaders informally and with humour, as an engaging way of implicitly demonstrating their commitment.

An entry for you to assess

2017 Submission: Heading
This is the main picture that will appear at the top of your entry. At least 1200 pixels wide is recommended.
Maximum upload size: 2.1MB
Please use the internet address of a picture (it should end in .png or .jpg or similar) that will be visible to people outside your organisation until after the awards end.
No more than 10 words please.
No more than 25 words please

Save this tab if you have made any changes

Another organisation

Please provide the internet address of the organisation's logo
For inclusion in our publicity about this entry if nominated
Information will be required about the start and end date of, size of investment in and geographical scope of your initiative where appropriate

About your Entry

The information you provide here will help determine the suitability of your submission and the best shortlist for your entry if nominated

implementation
implementation
implementation
implementation
implementation
implementation
The investment on this initiative from its initial conception to now, excluding elements that would have been required for other reasons anyway, and excluding aspects that do not impact this entry. We may use this when finalising the shortlists to split a popular category into two categories by project size. Also judges take this into account when assessing Impact, and so if you can disclose this information it can only be helpful for both of these processes.
initiative's focus
Which region(s)?
Which nation?
Covering which countries?

Confidentiality

Let us know here if you would like some aspects of your entry kept confidential
We may wish to include your entry in publicity about shortlisted entries.
If you would like the candidate's organisation's name to not be mentioned by us then please ensure that it is also not mentioned in your text, images, videos or PDFs included in your entry.

Save this tab if you have made any changes

Your Entry

Here you describe your initiative or strategy; what you did and why you did it, how it was successful and what your fellow professionals could learn from your experience. You can use a mix of text, pictures, video and PDFs etc. to convey your ideas and engage the interest of judges. We recommend that you include a concise overview for judges spending less time reviewing entries, with greater depth also provided for those that wish to know more. You will be able to fine-tune (edit) your materials up until the time that judging starts.

Any background or confidential information that you would like the organisers to take into account when considering this entry for nomination. This will not be published.
Your entry in full.
If you have a video you would like included with your entry description, upload it to YouTube and paste the link here
Maximum upload size: 2.1MB
If you have a PDF you would like included with your entry description, upload it here

About the following

These input blocks for Impact, Innovation and Inspiration are provided in case you would wish to provide additional information for the judges, to help them understand the strength of your submission in terms of each of our three judging criteria.

The difference made in target communities and benefits to the organisation - good anecdotal or metric evidence of real outcomes rather than reams of stats.
If you have a video you would like included with your impact statement, upload it to YouTube and paste the link here
What's distinctive about this entry and how being creative has helped you overcome challenges - a good idea that your fellow professionals might not have thought of.
If you have a video you would like included with your innovation statement, upload it to YouTube and paste the link here
Hints and tips from your real experience to help your fellow professionals (the judges) adopt your good ideas and apply them to suit their circumstances.
If you have a video you would like included with your inspiration statement, upload it to YouTube and paste the link here

Save this tab if you have made any changes