Jess Phillips | September 14, 2018

Software training solution helps cyber-educate Veolia employees

As seen on Intelligent CISO...

Veolia is the global leader in optimised resource management and has 163,000 employees worldwide. The company designs and provides water, waste and energy management solutions that contribute to the sustainable development of communities and industries.

In his previous role as IT Quality Manager, John Hield focused on improving IT processes so they could adhere to a multitude of compliance standards. With time, he found himself more involved with information security as compliance and infosec intertwined and in 2010 he was promoted to Infosecurity and Compliance Manager.

Hield found that the steps the business needed to take to comply with regulations, and the steps it needed to take to protect against data breaches, were often very similar.

Hield is known as a cybersecurity and compliance mentor for all within Veolia UK and Ireland. For example, a large part of the business is run by independent contractors who he works with personally to ensure that they understand relevant regulations and are working in a safe and compliant way.

He is also on Veolia’s UK and Ireland Risk Committee, is a member of the Global Cybersecurity Team and works in unison with his counterparts from around the world to maintain Veolia’s reputation as a leader in cybersecurity and compliance. He has spoken as an industry leader at several external events in the last year, ranging from the Gartner Security and Risk Management Summit to Whitehall Media’s Enterprise Cyber Security event.

This is alongside regular speaking engagements that John holds internally on data protection, social media safety, social engineering and other relevant infosecurity and compliance topics.

He emerged as a true pioneer in his field when he proactively took interest in the GDPR mid-2016, months before many UK organisations would have even been aware of its existence. He became an intrinsic part of a working group within Veolia that was planning for GDPR compliance; Hield stepped forward as the project manager for GDPR, working hand in hand with the head of the legal team. This lead naturally to Hield being assigned the position of Data Protection Officer (DPO) for Veolia UK and Ireland – a perfect fit for him as the GDPR defines a DPO as ‘a cornerstone’ of ‘accountability’. A large part of this role is ensuring that Veolia’s end users received cybersecurity awareness and training.

Hield’s team trialled many different cybersecurity training and awareness methods. Amongst other things they trialled email-based education – sending employees infographics and statistics; uploading blogs onto a shared intranet and uploading information onto Google Communities.

Unfortunately end-users did not really engage with these methods, with emails going unopened and blogs being ignored, Hield said.

This meant that his team couldn’t truly demonstrate that they were training their employees and were therefore uncompliant with regulations that required cybersecurity training, like GDPR.

Hield then changed things up by giving one hour presentations to staff at different sites, but many did not have suitable locations where he could train everyone at once. He then set up smaller, interactive sessions, where he trained six to eight people at once. This was effective but with 5,500 IT users across 400 plus sites in the UK and Ireland and a team of around three people, it was not logistically viable.

So, he started looking in to cybersecurity training software. He demoed solutions from two leading brands by asking people from HR, finance and IT teams to try out the different types of training and give him their feedback. Overwhelmingly, the trial users preferred Wombat Security Technologies’ solution because Wombat’s interactive, step-by-step modules were more engaging than the other company’s video-based modules which end users found overly technical and hard to engage with at their desk.

He said: “Our goal when we develop training is to really make it as approachable as possible. We didn’t want them to be intimidated.”

Hield started implementing Wombat’s solution in May and June 2017.

He began his first campaign by sending an introductory email to everyone inviting them to complete mandatory ‘security essentials’ training, as well as letting them know that they could try out other optional training modules. In the first week, 1,200 modules were completed, belonging to both the compulsory and voluntary module set. Hield gave the company three months to complete the compulsory training and with just a polite monthly reminder, 80% of users completed the training.

He was pleased the department leads acted as stakeholders during the campaign, with many asking for a list of names of those who hadn’t completed training so that they could personally incentivise them to do so.

Apart from the resounding success of the compulsory campaign, Hield said he was really impressed with how many end users completed voluntary training – from June to December 4,120 voluntary modules were completed. 100 staff members even did every module available. Mobile device cybersecurity was a particularly popular voluntary topic.

Hield ran a mock phishing attack on his users in March during Veolia’s internal Cyber and Physical Security Week – 700 people out of 5,300 email address targeted clicked on a link within the email.

Because this number was already relatively low, Hield decided to challenge his users during the next mock phishing test in November/December 2017. He used an attachment-based simulation and more corporate looking emails – this saw more people falling for the test who hadn’t before. So, having identified the problem, he applied an instant solution by planning the next mandatory education model to be ‘avoiding dangerous attachments’.

The ROI of the training has been immense, with the equivalent of 250 entire days of training being delivered from June until October, 2017 – an impressive number considering that the modules only take around 15 minutes to complete.

The money saved by using this type of training is going straight into the budget for next year and one of Hield’s first steps as DPO will be to run a compulsory campaign educating users with Wombat’s GDPR training modules – although he has noticed that a lot of people are already voluntarily doing this module.

Hield presented Veolia UK and Ireland’s cybersecurity training campaign to his contemporaries at a global security summit in France in the summit of 2017 and they were blown away – with Hield at the helm, the rest of the organisation looks set to roll out this high level of cybersecurity training and awareness globally.

He said: “It also works well on the phone – everything is mobile responsive. We can see the main difference and it ticks all the compliance boxes as well which is important for us. It really works for us.”

The way that Hield has tackled cybersecurity training and awareness head on within his organisation, acting as a trailblazer globally, has demonstrated he is truly an influential cybersecurity leader.

Read this article on Intelligent CISO