For a little over a year now, we have been running several security awareness campaigns at Belnet, led by the Awareness team. Last year, we focused content primarily on phishing tests and extensive communication regarding various dangers. Besides that, 2022 was also about insight: finding out through objective measurements and surveys how well our colleagues' general security knowledge is coming along.
Our parallel approach to raising security awareness
By using different types of campaigns through our platform, we were able to bring a range of topics to our employees. This not only trained them to recognise phishing, which to this day remains the biggest danger, but also allowed us to make them aware of other potential dangers that may be present.
Our biggest focus in 2022 was on phishing campaigns, whereby the Awareness team drafted phishing e-mails based on detected vulnerabilities or current topics to send out to our employees.
We started with a baseline campaign that we sent out to all colleagues. This one was intentionally made very believable so as to have a clear view of who has trouble recognising phishing e-mails. 48% of our colleagues got caught by this HR-simulated e-mail that was going after personal data.
After that baseline test, we decided to test our various teams separately with a phishing e-mail more "tailored" to the business context. Here, the click rates were already much lower, ranging between 0 and 15 percent. Recipients who clicked on the link were then presented with a training course that clearly explained, in an interactive manner, how to recognise a fraudulent e-mail.
As we sent out more and more phishing e-mails, we saw some clear progress among our users. Whereas on our baseline test there was a 48% click rate, we can now say that no-one clicked on our last overall campaign. A marked improvement!
In addition to phishing campaigns, this year we also sent out some specific awareness communications to our employees on various security-related topics.
For example, we communicated about the major and also well-known dangers such as ransomware on the one hand, and about the use of secure passwords, as well as some more specific topics such as "Have I been Pwned", the risks when using USB sticks and the situation in Ukraine, which is also a potential threat to us as NREN.
The more you measure, the more you know: training and assessments within the programme
Assessments and training were not to be missed in our Awareness programme either. Here, we used various tests to test the initial knowledge of our employees.
First, we conducted a Security Awareness Proficiency Assessment. 78% of our users completed it with an average score of 70%, so we do have a good view of our employees' knowledge.
In the "Passwords and Authentication" section, scores were generally lower. We therefore opted to subject all our employees to a training programme on secure passwords through our training tool. With great success, as the average score on the final quiz for this training course was 85%.
Lessons learned and future vision
After a year of internal awareness, we have noticed that our employees are much better able to recognise and respond appropriately to security risks such as phishing. In general, our colleagues have also become significantly more security-minded.
On the other hand, we noted that additional efforts are needed to actively engage everyone in the Awareness programme. Therefore, one of the things we would like to do is to work on an Awareness Policy, which will also formally define the purpose of the programme, its scope and expectations for our employees.
In the next phase of the Awareness programme, we would like to focus on the somewhat more unconventional methods of security breaches, for example through QR codes or a physical intruder. We would also like to make the programme even more interactive by, for example, launching some lunch & learn sessions in the future.