CLIENT CASE STUDY

GLOBAL OIL AND GAS COMPANY: IMPROVED INFORMATION SECURITY THROUGH CHANGE MANAGEMENT

Going Beyond Technology

OVERVIEW

One of the world’s largest oil and gas companies chose Accenture to lead a major transition from its legacy security platform to a sophisticated and industry-leading solution that includes modernized cyber, physical and industrial security systems.

The company was keenly aware, however, that to improve security from every angle, it would need to do more. It knew that preventable human errors cause nearly a third of all information security incidents. The company therefore sought to underpin the entire security approach with an often-overlooked—yet critically important—component: heightening its employees’ awareness of how their day-to-day actions impact security.

As part of the overall security solution, the company asked Accenture to develop an extensive change-management program to improve its employees’ understanding of security and to help them make the best possible decisions.

Preventable human errors cause nearly a third of all information security incidents.

RECOMMENDATIONS

Employees, at each and every level, must understand the critical roles their own everyday actions play in protecting the company.

The wide-spread global company faced challenges in maintaining consistent and well-communicated internal security programs and procedures. In addition to leading a massive transition to a sophisticated new system of cyber, physical and industrial security solutions, the company also asked Accenture to create a rigorous and innovative change management program.

The global oil and gas company’s top-level executives were clear: Employees, at each and every level, must understand the critical roles their own everyday actions play in protecting the company. Senior executives expressed willingness to lead by example and wanted to be as engaged as possible with Accenture’s programs to improve employees’ security awareness and behaviors.

SOLUTION

Accenture’s experienced team of change management professionals created and implemented an innovative information security behavior change program that reached the clients’ employees in more than 50 countries. They began by collecting data on employees’ typical information-security-related behaviors (e.g. frequency of changing passwords, attitudes toward risks, awareness of code-scanning services and many other tangible measurements).

Accenture then identified 10 specific high-risk issues, helped set measurable objectives for the program and established processes to regularly monitor progress.

Because sending “phishing” email messages is the most common tactic attackers use against corporations, Accenture’s team began its change-management program by creating materials to help the client’s employees understand the threat and recognize phishing email.

The education program included sending simulated phishing messages to every employee. Any time a recipient incorrectly clicked on a link in a simulated phishing message, that person immediately received additional information about phishing threats and how to take the correct action.

Accenture’s change management professionals also created a variety of education programs on several topics, such as sharing documents securely and safeguarding access to devices while traveling.


The programs included:

  • Fun, interactive online games

  • Instructional videos

  • A comprehensive website

  • Exhibit booths during the client’s annual “Safety Day” and presentations at several meetings and events

  • Printed materials such as flyers, infographics, posters, banners and tabletop displays

  • Information security IT health checks

RESULTS

Accenture helped the client dramatically and sustainably improve its employees’ security-related behavior.

By focusing on using relevant data to benchmark, track and measure improvement—and by creating innovative, award-winning materials—Accenture helped the client achieve the following outcomes:

  • A reduction in the number of recipients who inappropriately clicked on mock phishing messages from 35 percent of recipients to eight percent.

  • 89 percent of the client’s employees took actions to improve security as a result of the campaigns.

  • 87 percent of the client’s employees reached a high level of awareness of identity theft and fraud.

  • 82 percent of the client’s employees reported that they now handle information in a more secure manner while at work.

 

Employee security-awareness training programs remain one of the most essential safeguards for effective security. The company now prides itself on being an industry leader when it comes to information security and it is setting goals for further improvement.