Award-winning security awareness campaign
Amadeus wins the 2020 Care4Aware Award for best long-term security awareness program with an IS-FOX Security Awareness Campaign.
The Security Awareness Campaign
The Amadeus Security Awareness Campaign is an example of an ideal course:
- First of all, win over the management as positive multipliers.
- Then use social engineering attacks to playfully generate personal involvement among the target group.
- Then provide training across the board, through classroom events and e-learning.
- In parallel, set up a cyber security portal on the intranet with an active community.
- Continuous refreshment and supplementation through phishing simulations, security arenas and webinars.
- Special awareness measures for IT personnel (administrators and developers).
In a phase 0, the executives were shaken up for the topic of cyber security in international meetings with live hacking and management call-to-actions and won as positive multipliers. Because managers have an enormous effect on the security culture - both in a positive and a negative way. Security is often perceived as a " stopper " and a " preventer ". Neither e-learning nor phishing tests can help against such an attitude, because the attitude towards something is made up of knowledge and emotion, and it is difficult to boost emotion positively with tool-supported awareness, especially in the case of managers, who also have a personal responsibility and role model function.
What helps is the creation of personal involvement through live hacking demonstrations and the relentless clarification of the possible risks and consequences of a cyber attack. All of this is paired with an explanation of successful security. This leads to the awareness that security people are not "paranoid nutters", but choose their measures wisely and with a sense of proportion. Only this awareness creates a positive attitude towards the topic of security. The foundation for all subsequent measures.
The management training sessions were planned for the main offices in Madrid, Nice and Erding, but due to extremely positive feedback they were extended to key international locations: Boston, Miami, Sao Paulo, Dubai, Bangkok and Bangalore. And since we were already there, we opened up the trainings to employees as well, starting in the second year.
Social engineering attacks by the phantom
Following the campaign "Microsoft chases the phantom" already implemented by HvS at Microsoft Germany in 2010, we again created a phantom that communicates the serious messages of Cyber Security Awareness in a playful and eye-twinkling way. This phantom carried out various attacks on the staff:
- Phishing emails
- Spreading of prepared USB sticks
- Social engineering calls
- Scouring office space with Dumpster Diving
Of course, all attacks were always resolved immediately and communicated throughout the company. In addition, we took special care (as always) not to "put anyone on the spot" or expose them. All actions were anonymized by HvS and communicated by the Phantom with charm. Therefore, there were no objections from the side of the workers' council, but rather broad approval.
The phantom won the hearts of the employees and became the official "key visual" of the security awareness campaign.
Continuous know-how transfer
Certainly, 19,000 employees in 150 countries cannot be trained through face-to-face events. Therefore, IS-FOX e-learning was rolled out as mandatory e-learning, adapted to Amadeus' guidelines and focus areas and branded to the Phantom. This e-learning course achieved the highest participation rate and some of the best ratings at Amadeus.
However, since hardly anyone calls up an e-learning to briefly look up something, we established a cyber security intranet portal in parallel, the "security wiki" so to speak.
And thanks to the widespread community approach at Amadeus as well as available internal resources, the security team was able to grow the cyber security community over the years to become the community with the most subscribers at Amadeus. It's a great success that proves security doesn't have to be dull and annoying.
In the following years, Amadeus integrated further measures for know-how transfer, such as continuous phishing simulations and the implementation of security arenas.
Cyber LABs for Admins and Developer
The core business of Amadeus is IT. Accordingly, there are several thousand administrators and developers in the workforce. And for this target group, the message "don't click on phishing emails" is far from sufficient. Admins and developers have entirely different security issues and, because of their privileged rights, can cause even greater damage than end users. In addition, security measures have a much greater impact on their day-to-day work than they do on normal users.
For this reason, administrators and developers have been receiving targeted training on the topic of security awareness for the past 3 years.
They are encouraged to take on the role of an attacker in their own LAB environments and disassemble their own typical systems. Similar to the managers, it is exactly this personal involvement and understanding that is needed before the actual security messages can be conveyed... otherwise, quite simply, no one will listen to us. The Cyber LABs get top ratings from participants and massively foster a positive security culture in the IT community at Amadeus, even though it makes the day-to-day work a little more complicated.
The Amadeus security awareness campaign is a very successful example of long-term and integrated measures:
- The top-down approach with convincing and winning over managers was implemented perfectly, even in a phase 0 before the actual campaign launch.
- Corporate Communications was already involved at the time of campaign planning and gave us optimum support in using all relevant communication channels.
- The regional security officers were involved at an early stage and successfully multiplied the campaign into the regions.
- The cyber security intranet portal became the central security wiki and, over time, an interactive community with the most subscribers within the Amadeus Group.
Another key success factor was certainly the fact that a dedicated person was able to take care of the topic of security awareness, because a campaign like this cannot be managed as a part-time job.
We were not really surprised that our phantom campaign was awarded by security awareness specialists as the best long-term security awareness program, beating very successful campaigns by the city of Zurich and Daimler AG.
Unfortunately, due to the Corona Pandemic, the Care4Aware Award 2020 could not be presented until the end of 2021. Thomas Wepner, Senior Corporate Security Officer at Amadeus, was nevertheless delighted to accept the award.
And of course we share his excitement and look forward to the continuation of the campaign!