Find out more about recent customer cases:
- Using Game Play for building Awareness (Veiligheidsregio)
- Security Awareness Programme (Tintentgroep NL)
- Building Awareness through e-learning strategies (Vestia)
Engaging staff in awareness training can sometimes be difficult. The topics can be seen as ‘dull’ and training materials from some provides is ‘dry and boring’. That’s why we at Eurofins like to find ways of engaging with our clients and creating more exciting propositions. So when the management team of Veiligheidsregio came to us to discuss Awareness training we decided the best course was to get them involved in the serious game of Alcatraz.
Underpinned by the principles of awareness this game encourages participants to start with hypotheses about information security. They then assumed specific roles that saw them take sides in policy, processes and their behavior. As a company we have now played the serious game Alcatraz with more than 125 teams.
Serious Game Alcatraz with Veiligheidsregio
It is considered that in 70% of cases human interaction is the cause of security incidents. Therefore it is this element that needs to be closely examined. Why do people compromise security? And how can we best negate the impact? The game of Alcatraz has been developed to raise the information security awareness of both employees and managers. It sees staff members challenged to take sides on the prison island of Alcatraz in an interactive game situation.
Objective of the game
The participants get to work in small groups (6 people per table with a maximum of 42 people per session) in a workshop with hypotheses about information security. The game pays attention to the different roles and responsibilities of the participants. During and after the game they will draft joint actions and rework these into a report. This way managers as employees are involved in creation a plan of action and support for the desired outcome emerges.
The awareness program for the management team of Veiligheidsregio saw multiple teams taking part in Alcatraz sessions and demonstrably raising their level of awareness.
To ensure that the knowledge gained in playing the game was consolidated and recognized in a way that could be implemented in the business, it was supported by an interactive workshop and onboarding e-learning. All these facilities were provided by and delivered by Eurofins Cyber Security.
Find out more about our Awareness Services.
How do you ensure that each of your 650 employees get appropriate awareness training in and privacy? Tintengroep, a Dutch company that specializes in social work, started with our security awareness program.
Tintengroep: experts in social work
Tintengroep specialises in the critical roles of social work, foundation stage education for toddlers and child care support. And not just children. Their clients range from 0 to 100 years old.
Awareness of information security is key
Information security and privacy are two main pillars in the strategy of Tintengroep, and is an essential requirement when working with clients who could be vulnerable and at risk.
As the employees constantly work with personal data there is the need to learn how to safely handle all data. Staff members need to be aware of data threats and have resilient and robust solutions in place to address any potential problems. Ensuring that company and personal data are stored safely is a time consuming process so it is important that everyone fully understands the need for the highest levels of safety and that an environment that values the development of risk awareness is fostered.
Building blocks of the security awareness program
The security awareness program consists of following building blocks and objectives:
- Phishing test (field test of behavior): To measure the current level of awareness and identify any immediate risk areas
- Interactive workshop and presentation: To raise awareness on the purpose and necessity of information security and to give advice
- E-learning programme: spread over three years, with different modules adapted to match recognizable work situations and designed to develop the required knowledge, skills, attitude and behavior
- Evaluation and follow-up: To update the security awareness program and keep all the staff members aware of progress.
We focused on the development of risk awareness with the ultimate goal of a demonstrable change in behavior. We have developed our own assessment method to accurately measure starting points and progress towards agreed goals. This way we can measure the effectiveness but it also allows us to create a risk based planning for the next period in time.
Lasting improvement based on a risk driven approach
To achieve a lasting impact on improved safety and security major tasks were broken into smaller manageable activities. We start with presenting a general introduction in the first year and continue with specific risks projects across three or four areas where improvement is sought in the following years.
Awareness interventions do not only measure behavior but they also play a big part in delivering the necessary underpinning knowledge, in positively influencing the attitude and making adjustments in behavior. Our awareness interventions are:
- Based on recognizable work situations
- Delivered as short interventions as part of the daily job routine
- Partly confronting or emotionally loaded
- Interactive and based on games-style learning strategies.
Interested in security awareness?
Then we need to talk. During an introductory meeting we analyse together the current state of your information security and privacy. Afterwards we built an effective security awareness programme together with you fully customized to your situations and your business model.
Vestia is a company that puts a high value on information security. The company’s management recognized a need to raise the level of awareness in information security and found a solution in the delivery though our e-learning offering.
Why did Vestia integrated e-learning in their awareness program?
We were looking for a flexible and always-available educational delivery system that is easy to implement and flexible, easy accessible and approachable for every employee. We were also looking for a measurable and controllable approach. E-learning combines all these requirements.
We chose for Eurofins Cyber Security because of their flexible and approachable way of working. Our employees have access to the platform 24/7 without complex access requirements and via a dashboard we can monitor their progress.
Furthermore, we were also looking for a partner who could deliver the e-learning in the e-learning industry-standard SCORM files and we wanted to be involved in the content of the modules. This way we could tie these into recognizable work situations. Eurofins scored highly on all these criteria and it did not take long for the company to adopt Eurofins as its e-learning partner.
How is your experience with the e-learning modules?
We have received only positive feedback from our staff. We did often got questions and feedback which we incorporated in new versions and new modules. We have tested each module with the user groups before going live. This way we could easily develop the modules to be particularly appropriate for our staff.
A particularly useful feature was the short duration of modules, which took only 10 to 15 minutes to complete – employees can do one whenever they have a some free time.
Another advantage of e-learning is that it incorporates recognizable situations the user will also find useful in his own personal environment. The phishing module for example was useful for a colleague who received a phishing email at home. He now knew how to recognize a phishing email and how (not) to respond.
How do you ensure the e-learning course is successful?
The e-learning is a mandatory course for our employees, and for consultants. In cooperation with our HR Department all new colleagues are invited to follow the e-learning modules.
We often check who hasn’t gone through the modules yet. Currently that 95% of our employees have followed the course. The modules are rolled out in phases of 6 months to ensure everyone has followed the previous module ahead of the next one being rolled out. Another advantage is that all the modules stay relevant as we can adapt them to current events.
Which challenges have you faced?
Making the course mandatory has been a big step for us. Following the course does not implie that you will change your behavior. In some cases we get requests to redesign a course or a module. By raising awareness we want to change behavior of our colleagues in information security. As everyone has a different motivation, it’s a lengthy process but one that is ultimately very successful.