By Adrian Bühler, Mac System Administrator at SWITCH
Let me walk you through how we do reporting, onboarding and lunch & learns in our internal campaign Awareness@SWITCH.
As NRENs we provide critical infrastructure to our communities, which we need to protect. As the past few years of the Verizon Data Breach Report have shown, IT security is not just a technical challenge. At SWITCH, we’re in the fortunate position of having a small team of security awareness experts, who work on the topic externally. This expertise is used to build and coordinate the internal campaign and measures. In this post we’ll be sharing some measures of how we manage human risk at SWITCH.
Asking for help and reporting
When the internal security awareness programme was set up, we in the support team were approached and asked to join in. One of the first issues we solved, was the question of where employees turn to, when they need to report something suspicious.
I believe this to be a big barrier for people, if they have to find out first, where to go to with a specific problem. That can lead to employees not reporting, because it’s a hassle. To us in the support team it therefore made total sense to become the single point of contact for all IT questions, including security. For us it’s easy to do the triage and for users it’s easy to remember who to turn to.
Personally, I’m happy with this decision to become the friendly face for security awareness at SWITCH, as it has provided me with new challenges and opportunities. As part of the interdisciplinary team for internal information security, I get a better understanding of IT security as well as psychology and communications. This knowledge is certainly valuable in my daily job.
Onboarding
Onboarding is key to us in different ways. We’re giving the first impression of our organisation, our culture, and our support team.
It’s the first day of a new job, people are maybe a little nervous and we’re kind of the friendly face to get them up and running with their new device, their work tool. We want them to feel welcomed and as little overwhelmed as possible.
1. Keeping it simple
At the moment, we’re still developing the process to make the onboarding as simple as possible. The end goal is to give people their laptop on day one, where they have to set up two passwords and then concentrate on the applications. We want to get rid of all the technical parts and just introduce new staff to our digital work environment and how to keep their devices safe. We’re not quite there yet, but we’re getting closer.
A few years back, before we implemented an organisations-wide password manager, we had password lists on paper with about 15 generated passwords that people then had to type in on their first day. It was really tedious and frustrating, took a long time and in the end, it was fairly unsafe, because we didn’t know whether people did actually change their passwords afterwards or what happened with that piece of paper.
Now, onboarding starts with setting two passwords, one for the device and one for the password manager. All the other passwords a new user needs are already in the password vault. We explain the password rules and we also set up multi-factor-authentication with them.
2. Making it fun
The second step in our internal IT-related onboarding process is the IT security afternoon. The first part is an informal introduction, where we start with the “why” and then proceed to our rules and the security behaviours we would like people to adopt. It’s a short presentation with many images and we encourage people to interact with the speaker and ask questions. We’re only sending them links to the how-to wikis and security policies (that they may or may not read) afterwards.
For me the most important message I’m trying to get across is: if in doubt, always ask us, the support team. There are no stupid questions. And if there are, we haven’t explained it well enough.
We make security onboarding playful with our SWITCH Security Awareness Adventures
In the second part of the afternoon, we run one of our SWITCH Security Awareness Adventures, such as the escape room Hack the Hacker. The introduction of the training provides basic security knowledge which is then applied during the game. At the end, the participants explain and discuss what they’ve learned.
Lunch & Learns
We’ve now been running (virtual) lunch & learns for 2 years. The main idea is to introduce a security issue with an expert speaker, usually someone from SWITCH-CERT. My role is to teach or remind participants of the corresponding security behaviour, such as passwords, that better protects against this threat. This format also allows me to reconnect to people and be the approachable guy for any kind of IT question, in a way it’s a form of relationship management.
Participation is voluntary and we invite people with all backgrounds. We always make sure to communicate in a way that people without a technical background can follow. At the same time, we try to make it exciting for technical staff as well. The relaxed exchange over lunch is designed to be a way for “SWITCHies” to connect, have fun and thus contribute to a positive security culture.
Usually, we do a quick survey afterwards to evaluate what we can do better next time. Generally, the feedback is very positive, especially when our security experts do live demos such as how easy it is to spoof an email address or what a banking trojan looks like in action.
What is also highly appreciated are playful competitions such as the “safest SWITCHie gingerbread home office house” contest that we ran in early December during the first year of the pandemic. This measure was part of the safer home office lunch & learn. People loved it, entire families got involved to build the safest home office and everyone in the organisation got to vote for their favourite gingerbread house.
Initially we had postponed the lunch & learns, but as the pandemic progressed, we decided to go virtual with this format via Zoom and a messenger. We tried to make them as interactive as possible, with breakout sessions, polls and a dedicated messenger channel. As an incentive we send participants a lunch or snack home.
If you’re interested in this format, check out the concept for the Home Office Lunch & Learn we’ve shared in the resources.
My awareness take-aways:
be approachable, there are no stupid questions
make the content relevant and fun
ask your communications & marketing people for campaign ideas and help with copywriting
avoid technical jargon as much as possible
About the author
Adrian Bühler is a Mac System Administrator at SWITCH, Switzerland. Among his many tasks including first and second level support, he’s trying to make sure that users keep their devices safe. Adi has become the friendly face communicating security messages internally in a user-friendly, hands-on way.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
