What We Faced
Challenge
An offshore drilling contractor wanted to proactively secure valuable assets from cybersecurity threats by minimizing risk related to phishing attacks and human behaviors through improved security awareness and training. The threat of phishing attacks had increased significantly in recent years, especially with remote work becoming more prevalent since the COVID-19 pandemic. According to the most recent report from Zscaler ThreatLabz, there is a staggering 47.2% surge in phishing attacks in 2022 compared to the previous year. MRE was contracted to help provide project management oversight to ensure a successful project roll out and realization of the project’s expected benefits for the organization.
What We Did
Solution
The offshore drilling company selected a security awareness and training platform called KnowBe4 because of its comprehensive training approach. KnowBe4 offered regular and on-demand modules with dynamic content, and incorporated phishing campaigns that could be used as simulations. The solution could be used for employees, contractors and third parties, with defined role-based curriculum requirements.
- Library of Customized Training Modules: KnowBe4’s learning modules covered critical topics related to behavior, policy adherence, and compliance expectations. KnowBe4’s tailored learning modules incorporated role-based training, addressing the specific context of various job functions within the company. Training used to be a one-size-fits-all approach, but the new platform allowed specific departments to have tailored curriculum based on the specific threats they are more frequently exposed to.
- Simulated Phishing Campaigns & Training: Implementation of simulated phishing and social engineering attacks that test employees’ ability to identify red flags. These simulations also serve as a tool for identifying individuals who may be more susceptible to phishing attempts and automatically provide them with additional training requirements.
- SAPA (Security Awareness Proficiency Assessment): SAPA is a questionnaire to assess the organization’s security awareness and identify specific areas where additional training is needed. It serves as a tool for tailoring training modules to address the unique cybersecurity awareness needs of different teams and individuals.
MRE provided oversight of the project delivery. We leveraged our Project Management Framework to oversee the project, manage the timeline and proactively identify risks or issues. MRE coordinated with the client and vendor and fostered collaboration among stakeholders for a smooth implementation. and ensuring alignment with the client’s PMO standards, and reporting and documentation requirements.
MRE’s Project Manager proactively identified and managed risks to ensure a smooth implementation. For instance, the team ran into an unexpected issue during Active Directory integration. The Active Directory (AD) structure did not reflect the way the organization needed to group people and departments for rolling out the security curriculum. For example, generic rig accounts in the AD structure would not require training and contractor workforce needed to be included based on their role. We actively worked through this issue, conducting manual reconciliation and quality assurance checks as confirmation. Our approach to risk management instilled confidence with the client and ensured the project stayed on track.
What We Delivered
Results
The project successfully launched the organization’s cybersecurity awareness training program to the organization. The MRE’s Project Manager was responsible for completion of the project, facilitating communications with users, and assisting with an on-going framework for training and communications.
- Established a comprehensive baseline for measuring changes in user behavior and susceptibility to phishing attacks by running a phishing simulation to the organization.
- Enabled measurement of the cybersecurity awareness and training program’s effectiveness with the ability to compare susceptibility before and after users have undergone training and received communication about the cybersecurity best practices.
- Communicated importance of cybersecurity awareness to the organization and individuals to support the long-term objective of fostering a sustainable security mindset across the entire workforce.