Accenture social engineering awareness program
Accenture’s Information Security team applies innovation and data-driven intelligence to programs so employees can avoid social engineering scams.
Accenture is a large, globally dispersed professional services company that works with—and handles sensitive information of—Fortune 500 companies, as well as nearly half a million employees who work in our offices, from home, client sites and while on the go. Our people are both our greatest asset and our biggest vulnerability when it comes to keeping information secure.
Increasing sophistication in social engineering techniques, coupled with the large volumes of e-mails and use of numerous communication channels, creates more opportunity for employee errors. We needed a social engineering program for all our people that would assess, demonstrate and continually reinforce the best security behaviors in their fast-paced, digital work and personal lives to keep information secure on all fronts.
To address social engineering threats, our Information Security organization mobilized a team to develop and run a formal social engineering awareness program. This team now conducts regular social engineering tests to identify behavioral risks related to phishing. It uses a variety of learning assets to inform our workforce on how to recognize social engineering indicators and malicious tactics that threat actors might use to gain access to sensitive information.
Drawing on test results to identify security behavior gaps, the team continually develops and tailors custom-made educational materials and interventions to cultivate employees’ understanding of risks and consequences associated with falling victim to social engineering. The team applies gamification and tightly integrates across all of Accenture’s Information Security behavior programs, using video, and animated microbursts of learning content resulting in a robust portfolio of learning assets that employees enjoy. Test results are further used to measure and improve the overall effectiveness of the awareness program.
The program was structured to focus company-wide on three dimensions: people, process and technology:
Key to all behavior change programs are people—and ensuring the desired change takes place at an individual level. For our Social Engineering awareness programs, helping employees understand their critical role in keeping information safe is always the goal. The team develops learning assets on relatable topics like ransomware, business e-mail compromise, and charitable giving. Messaging for Accenture people around identifying social engineering indicators, personal accountability and clear consequences for failing to recognize threat characteristics are embedded in the assets, which are deployed regularly on themes reflecting timely security industry-related trends.
Employees are tested on their understanding and ability to recognize social engineering attacks through regularly distributed “spoof” phishing e-mails. To pass the tests, recipients must not click on any links or attachments. Employees are encouraged to report any suspicious e-mails to the Accenture Security Operations Center using the “Report Phishing” icon in Microsoft Outlook. Employees who fail tests are asked to complete specific learning assets and may be enrolled in a more involved training and a consequences program.
Three technical components were implemented to improve employee decision making when reacting to e-mail-based threats. The first is a feature that displays “[External]” in subject line of every e-mail received from outside Accenture. The second is a warning message included at the top of e-mails coming from external sources as an added visual cue. The third is a URL and attachment validation technology applied to every external email to verify safe links and attachments.
Accenture’s Information Security group is charged with protecting the information of Accenture, its clients, its business partners and employees. Social engineering programs address some of the key risks around protecting data.
Since launching the program, social engineering test failure rates have decreased significantly, demonstrating employee adoption of desired secure behaviors. The program continues to evolve based on its results, driving constant improvement, including the development of a consequences program that is designed and administered regionally based on local laws and policies. On an ongoing basis, the Information Security team stays ahead of threat trends and incident patterns using gathered intelligence to formulate leading-edge, immersive learning assets that orient Accenture employees before threats are headlines.
"Our behavior change programs are rooted in data, so we fully realize the value on our investments in new assets and technologies. We measure adoption and benchmark ourselves rigorously and adjust approaches, so we can maximize the user experience as well as the benefits of each solution," said Urszula Fabiszak, Accenture's director of Internal IT.
Our workforce (where legally permissible) is tested quarterly on its abilities to identify threats and respond appropriately.
Employees are encouraged to report suspicious e-mails to the Accenture Security Operations Center with a "Report Phishing" icon in Microsoft Outlook.
Employees who fail multiple phishing tests have their external e-mail redirected to their junk folder with links and attachments disabled.