Share this post:

Cyber Jobs finden EMail Cyber jobs finden Twitter

EXXETA’s playful approach to building a safe corporate culture

Article by Benjamin Bachmann – CYBER WORKSHOP

Companies’ IT security fails make headlines.

The importance of cyber security is evident from the increasing coverage in the mainstream media. First, the encryption Trojan “WannaCry” was displayed on all display boards in German railway stations. Numerous media used these images to warn companies of their IT security failures. This trend is continuing: In December 2019, the University of Giessen gained nationwide media attention through the momentous attack by the malware “Emotet” on the university’s IT landscape. Emotet uses phishing e-mails to target the supposedly weakest link in the chain: the human being.

Even if a company’s IT landscape is equipped with modern technologies such as firewalls, Security Information & Event Management and clean vulnerability or patch management, the cyber criminals behind “Emotet” attack the weakest link in the chain: the employee. These attacks often begin with authentic-looking phishing e-mails, which the criminals use to exploit the inattention or lack of technical media competence of their victims and get  them to unintentionally install malware. This way, the attackers often manage to access the company network with comparatively little effort and thus bypass most technical security measures.

Technology can be fortified easily; people need to be motivated and trained.

While it is true that computer technology can be armed against many attacks with the support of security software and hardware, this is not so easy for the people who develop, administer or use the application systems. If there is any security training at all, it is often boring compulsory training that is clicked away as quickly as possible because little practical knowledge is imparted. In addition to the lack of media competence, personal motivation is not or only poorly demonstrated. But this is of central importance, because only if employees have a personal interest in the learning content will they deal with it; company data is probably treated just as dispassionately as a rental or company car.

The corporate culture must promote safe development, operation and use

So, if we want to make the IT landscape in a company secure, we have to look beyond technology and create a security-conscious corporate culture that naturally promotes the secure development, safe operation and safe use of IT through communication, cooperation and competition.

The Cyber Workshop is a gamified cultural change

This is exactly the kind of modern safety culture we build together with you. In our “cyber workshop” your employees can work on their cyber skills. Playfully, each employee starts with a poster and a box of postcard-sized task cards. Whenever the learner has time to learn, they can search the cards for an interesting task to work on. Each card explains the personal motives for the learning content. The card also describes a task and gives implementation advice on how to approach the goal. 

Finally, the card provides success criteria for the successful completion of the task. At regular intervals, the players meet at the workshop meeting to discuss current safety topics and the progress of the game. At this meeting, players and teammates decide together whether a task is considered completed. If this is the case, the player marks on their poster that they have already completed this task.

Once all tasks of a difficulty level and topic have been solved, the player receives a matching robot sticker, which is stuck to the designated place on the poster. With this upgraded robot, the employee can demonstrate their learning progress, to their boss and colleagues in a prestigious way. Our experience shows that this prestige alone, together with the parlour-like design of the cyber workshop, makes other employees curious to play along and motivates everyone to continue playing and learning.

The workshop meeting becomes the cross-organisational security community

However, the workshop meeting is not only used to check the individual learning progress. Rather, the actual goal is to build a safe community that meets, learns and works together – across organisational boundaries. Our EXXETA experts provide impulses to deal with IT security basics or current topics with lectures in the workshop meetings, newsletter/blog contributions, videos and training courses. As they progress, lectures can be taken up by employees or the security community can be opened up to the outside world, e.g. with meet-up events.

The need to adapt to target groups, corporate culture and guidelines

The Cyber Workshop supports the change in corporate culture towards a security-enhancing environment for IT developers, operators and users. For this reason, the Cyber Workshop must be adapted to the different groups as well as your company. For this purpose, we check where tasks need to be adapted to your security guidelines or whether processes (e.g. “reporting a phishing mail”) or systems (e.g. “browser add-on adblocker”) should be introduced or adapted if necessary. Because there are different risks and points of contact with IT security for different stakeholders in the company, e.g. HR staff and IT employees, we arrange the tasks for each group in a sensible way. On request, our graphic designers can also develop their own design of posters and cards to reflect the company context better. The robots could consist of parts of your products or take up elements of your company communication (mascots, personas).

Do you have questions about the CYBER WORKSHOP?

Share this post:

Cyber Jobs finden EMail Cyber jobs finden Twitter

Would you like to learn more about us? Get in touch with us today:

Peter Kosel
Founder & Talent Community Manager

Roman Bättig
Managing Partner & Talent Communtiy Manager

Share This Story, Choose Your Platform!