“Whenever I meet up with the Layer 8 team, I always come away inspired.”
TRAVIS PERKINS – Tony Green (Security Team)
“Working with Layer 8 has enabled me to make the seemingly impossible, possible. When we discussed building a security team of 33,000 employees I had difficulty imagining how this could be achieved without spending a lot of money. Layer 8 have shown me this is possible and provided the framework and support with which to achieve this. Culture change won’t happen overnight but it began as soon as my conversation started with Layer 8.”
OPENREACH – Bernie Auguste (General Manager of Security)
In preparation for GDPR regulations becoming enforceable in 2018, our client needed to identify data assets, assess risks, and develop the secure management of information across the business. We were starting from a low level of awareness in many areas of the business, there was no one in the business who could dedicate their full time to the issue, and they needed to instigate a ‘people solution’ within a framework that would become self-managing.
Department by department we ran Layer 8 Live Workshops that enabled teams to uncover the information assets they protected, recognise their personal and collective responsibilities towards safeguarding those assets and collaborate on how to manage them securely. These workshops initiated a conversation about security that needed to be sustained.
To that end, after their workshop, all participants were loaded onto the Layer 8 Toolkit® where they have access to monthly content to keep the conversation going and learn about new risks. A security champion for each team was identified and inducted into the Layer 8 Toolkit® Leadership and Management Portal. This champions network is now the driving force behind change within the organisation.
• This resulted in all personal and sensitive information being identified and registered in a data audit.
• Each department contributed suggestions to a companywide Security Charter for data governance.
• Subsequent audit results achieved high praise, especially regarding employees and their role in security.
Phishing and spear-phishing emails were bypassing technical controls and malicious links were being clicked. Traditional awareness that simply showed people how to identify a phishing email was not working, due to the increased sophistication and changing tactics of such emails. A solution was required to minimise the number of phishing emails and other social engineering attacks that were successful.
Our approach was to focus on people rather than the emails and we ran Layer 8 Live Workshops with departments considered to be ‘high risk’. Our approach was to use dramatic scenarios to expose the ‘mechanics’ of all social engineering attacks, including phishing emails. Participants developed a greater understanding of the tactics of manipulation and their own vulnerabilities.
In the second part of the workshop, employees took on the role of cybercriminals to plan an attack on their own organisation. To do so, they considered their assets, where they were stored, who in the organisation would be targeted to get to them, and when they would be at their most vulnerable – as well as how they might be tricked using the techniques encountered in the first part of the workshop.
• Teams were better able to see their vulnerabilities and developed strategies to address them, which they were ready to implement immediately.
• They came up with a series of actions to put in place individually and departmentally.
• They made suggestions and contributed to the development of a companywide Security Charter.
A large organisation approached us with the ambition of getting every employee switched on to security and adopting more secure behaviours. They recognised the need to develop a proactive culture by generating more positive conversations across the business. However, beyond some initial resourcing and investment, the security team was looking for a way to weave security into business as usual.
Layer 8 worked with them to develop a network of ‘security champions’. We led an initial Layer 8 Live Workshop with about 20 key stakeholders from across the business to garner buy-in for the initiative and generate ideas for its implementation. This was followed up by recruitment events and Layer 8 C-Change training workshops, in which champions learnt a model for taking security conversations out and developed their own strategy for a self-sustaining network of champions.
• Hundreds of new security conversations took place within the space of just a few months.
• Champions reported on the success of the model in developing a proactive culture and making behavioural change happen immediately.
• These changes were reflected in the company metrics for incident reporting and reduced costs to the business.