WannaCry and NotPetya, the devastating cybersecurity attacks that brought networks to a halt two years ago, shone a light on the urgent need for stronger security training and awareness. And businesses are paying attention: the drive towards upgrading beyond vulnerable systems and the push for swift, effective patching have made things better, albeit only at the macro level.

That’s why security consultants have been zooming in, asking leaders questions to help devise and deploy security improvements at a smaller, more human scale. Arguably, the most important question is, “Do you have a security team capable of detecting, responding to and instigating recovery from a breach?”

On the front lines

Employees are an organisation’s first line of defence. However, studies have shown that employees don’t fully see the goal and purpose of existing security policies, and they need skills training in order to comply. And different groups of people require different approaches — teaching sales staff how cybercrime works bears little resemblance to training a product developer in cybersecurity.

So, if we’re looking to fundamentally change awareness of the employee’s role in information security, we need to go beyond the traditional educational campaign. We must stand out. Speak today’s language. Make it fun.

On the hunt

Recently, a major financial services provider asked DXC to come up with a solution that fits these criteria. The challenge was not only to improve cybersecurity awareness, but to embed it into the corporate culture in a sustainable way.

With the pervasiveness of powerful smartphones and virtual or augmented reality in everyday life, people have become familiar, even comfortable, with roleplaying and video games. As a result, the concept of gamification has proven to be a powerful education tool, one where sessions don’t look or feel like training. Instead, they feel like an adventure.

Eyes out for the Phantom

The program revolves around a series of quests, where employees are hunting down an imaginary “Phantom”. Each quest is focused on a topic like phishing or handling sensitive data and quizzes the participants after a brief video. Participants get points for correct answers, and their results are tallied together on a leaderboard. If at least half of the participating employees answer correctly, they catch the Phantom in that quest. All quests come with a knowledge base, where employees can learn more about a given topic.

The social element of the program is one of the driving motors behind it. Becoming a Phantom hunter is voluntary, so employees encourage their coworkers to come and help, working collaboratively towards a shared goal. Seven quests have been completed so far, with new ones coming in every quarter. Continuity is key to a long-term change in behaviour.

Learning for the future

The program is considered a great success — employees are actively involved and enjoying themselves. Life-size cardboard cutouts of the Phantom have been placed in the building, and there are giveaways, stickers, brochures, presentations and articles in the employee magazine.

But more importantly, employees are embracing a safety culture and learning to practice conscious safe behaviour in everyday situations, as well as in risky scenarios. The increase in risk awareness has also led to the establishment of an “error culture”, teaching employees that mistakes can and will happen, but instead of stressing, we can always learn from them — and share our knowledge with the people around us.