Raising employee awareness of social engineering
Our Information Security team brought innovation and data-driven intelligence to programs designed to help our people avoid social engineering scams.
Our organization is a large, globally dispersed professional services company that handles a lot of sensitive information.
We work with—and handle the sensitive information of—numerous Fortune 500 companies, as well as nearly half a million employees who work in our offices, from home, at client sites and while on the go.
When it comes to keeping information secure, our people are both our greatest asset and our biggest vulnerability. The increasing sophistication in social engineering techniques, coupled with the large volumes of e-mails and use of numerous communication channels, creates more opportunity for employee errors.
We needed a social engineering program for all our people that would assess, demonstrate and continually reinforce the best security behaviors in our fast-paced, digital lives—helping to keep information secure on all fronts, at all times.
Our Information Security group is charged with protecting the information of Accenture, its clients, its business partners and employees. Social engineering programs address some of the key risks around protecting data.
To address social engineering threats, our Information Security organization mobilized to develop and run a formal social engineering awareness program.
Information Security now conducts regular social engineering tests to identify behavioral risks related to phishing. It uses a variety of learning assets to inform our workforce on how to recognize social engineering indicators and malicious tactics that threat actors might use to gain access to sensitive information.
Custom-made educational materials help employees understand the risks and consequences of falling victim to social engineering.
Gamification, video and animated microbursts of learning content build a robust (and enjoyable) portfolio of learning assets.
Test results are further used to measure and improve the overall effectiveness of the awareness program.
Key to all behavior change programs are people. For our Social Engineering awareness programs, helping employees understand their critical role—at an individual level—in keeping information safe is always the goal.
Learning assets are developed on relatable topics like ransomware, business e-mail compromise, and charitable giving.
Messaging for our people around identifying social engineering indicators, personal accountability and clear consequences for failing to recognize threat characteristics are embedded in the assets, which are deployed regularly on themes reflecting timely security industry-related trends.
Regularly distributed “spoof” phishing e-mails test our employees on their understanding and ability to recognize social engineering attacks. To pass the tests, recipients must not click on any links or attachments.
Our people are encouraged to report any suspicious e-mails to the Accenture Security Operations Center using the “Report Phishing” icon in Microsoft Outlook.
Employees who don’t pass these tests are asked to complete specific learning assets and may be enrolled in more involved training and a consequences program.
Three technical components were implemented to improve our people’s decision-making when it comes to e-mail-based threats.
1. The first is a feature that displays “[External]” in subject line of every e-mail received from outside Accenture.
2. The second is a warning message included at the top of e-mails coming from external sources as an added visual cue.
3. The third is a URL and attachment validation technology applied to every external email to verify safe links and attachments.
Since launching the program, our social engineering test failure rates have decreased significantly, demonstrating employee adoption of desired secure behaviors.
"Our behavior change programs are rooted in data. We measure adoption and benchmark ourselves rigorously and adjust approaches, so we can maximize the user experience as well as the benefits of each solution."
Our people (where legally permissible) are tested quarterly on their ability to identify threats and respond appropriately.
Employees are encouraged to report suspicious e-mails to the Accenture Security Operations Center with a "Report Phishing" icon in Microsoft Outlook.
Those who fail multiple phishing tests have their external e-mail redirected to their junk folder with links and attachments disabled.
The program continues to evolve based on its results, driving constant improvement, including the development of a consequences program that is designed and administered regionally based on local laws and policies.
Our Information Security team is dedicated to staying ahead of threat trends and incident patterns using gathered intelligence to formulate leading-edge, immersive learning assets. These help our people stay alert before threats are headlines.