The Natwest Story from an Awareness Leader perspective
Ceri J., Security Awareness Manager at NatWest, a UK bank with 74,000 employees, felt she needed to do more to counteract the threat of phishing attacks. For a major bank like NatWest, phishing represents a serious area of risk exposure and one where employee awareness is part of the solution. As she explained on IT Central Station, “The spike in phishing attacks targeting bank employees drove us to search for an effective solution to mitigate that risk. We switched to CybeReady in 2019 and have been seeing a constant improvement in employees’ ability to identify and avoid phishing attacks. The best part is that the solution is fully-automated and removes all IT overhead.”
CybeReady deploys the training simulations in 35 languages using NatWest’s branding to reduce employee risk and mitigate the urge to click on a phishing email. Training is ongoing and empowering to those working at NatWest, who can now ramp up their own intuitive security precautions.
One advantage, according to Ceri, comes from CybeReady’s automated phishing awareness and action program. “They host everything, then we set up everything with our own internal routing through whitelisting, like emails and so forth,” she said. “CybeReady’s phishing training helps us by working around the clock.”
She added, “It is really helpful for me to have the backing of CybeReady who is more like a partner to my way of thinking in helping change the mindset across the wider bank of what to do with phishing framing.”
Deploying CybeReady to NatWest’s Entire Workforce
Explained Ceri, “NatWest is one of the major retail banks in the UK. The company operates across the globe in different locations, but most of its efforts are within the UK. Once a month, we use their [CybeReady’s] BLAST tool to deploy phishing simulations to our entire workforce.”
They are also in the process of deploying the CybeReady Continuous Awareness Bites (CAB) tool. She remarked, “That tool uses positive, open language to try and get people to engage a bit differently, and CybeReady understands how to do that well. BLAST in its normal setting, on a monthly, continuous basis has actually proved to be quite good and useful in showing trends.”
CybeReady organizes data and allows Ceri to customize what and how the department identifies “hot button issues.” She said, “I find the dashboard on the back-end for collecting data and the MI particularly helpful in the way that it is broken down, e.g., you can search and pull out any particular sort of anomalies or things that are interesting. It allows you to kind of find it for yourself because it allows for flexibility of particular areas and breaking them down, not just by location, but also by different management levels to different team areas.”
As Ceri described, being able to cut and slice the data in different ways allows her team to navigate, then present it back to people within affected areas of the business. She stated, “It is a bit more of a nuanced view with a bit more context-specific for them, which is always helpful.”
“Getting people to move from the idea that they only need to do phishing training every quarter to that continuous learning is quite a shift because they were doing that for about five years,” said Ceri. “It was very much something that they were used to. Moving to this different way did take some conversations with CybeReady about the best way to approach it. We did not want to have a ‘throw the baby out with the bathwater sort of approach of just making it really difficult, hard, or that everyone would obviously click. It was being a bit more pragmatic about having a range of emails, which CybeReady does really well.”
Ceri has been able to target relevant issues that need attention. She elaborated, noting, “By using CybeReady, we have identified some infrastructure issues in the bank, which we have corrected because of having CybeReady. We switched on particular elements of their tool, and that has helped us recognize that there are issues in the infrastructure. So, they have helped us correct infrastructure problems.”
The training is designed by expert security veterans. Each simulation directs custom training content that is tailored for the simulations. It approaches employees through emails that are tailored to “speak their language,” providing Ceri with analytics to optimize employee awareness and performance. The software adapts through learning to address the impulse to click on phishing emails based on the performance and history of an employee, taking the burden off of employees in not expecting them to be security experts, yet gradually teaching them what to look for and how to protect themselves and NatWest.
Intuitive and Non-Judgmental Company Security Awareness Training
Employees have responded well and feel positive regarding the intermittent, random training emails. “Realistically, it’s keeping the phishing in mind. It moves away from slightly more draconian, negative feelings of being told off. This is because of the way that CybeReady does it,” Ceri said. She added, “Their way is more beneficial and about ‘positive engagement.’ It isn’t about telling people off or determining their behavior to be wrong. It’s about allowing them to build those capabilities and learn coping mechanisms. They (employees) go on to additional training if they do click, but that additional training is actually positive, engaging, and quite open in its language. This allows people to engage differently.”
Digging Into the Data
“Not only across the bank, but within my own team, they can see the effects of what simulated phishing can do,” said Ceri. “It moves people away from seeing click rate as the be-all or end-all to start having deeper conversations about what they are clicking on and what areas need clicking, and what can we do about that?”
For example, the issue may not have anything to do with training, but rather be about fixing a technology problem. She remarked, “This has allowed us to have a wider conversation about the effects on people. It is not just my team or other employees, but also the seniors who get the data from it. This has allowed them to have more open, reasoned conversations about what the data is really showing us and what we can do better to support people.”
To learn more about what IT Central Station members think about cybersecurity training solutions, visit the CybeReady page.