AUG 2015 – KBC must be top-class in providing secure financial services to its customers. An important part of their cyber security strategy is to educate the KBC employees and customers to make them more “cyber aware”. Therefore, KBC has been launching various user awareness initiatives. In 2015, KBC hired Krinos Academy to carry out a Belgian-wide email phishing awareness campaign.
Bringing the campaign message across
Probably the most important part of an awareness initiative is (positive) communication. KBC’s campaign goals were to decrease the number of people accidentally clicking on suspicious links in emails and to increase the number of people reporting the emails as phishing. Together with Krinos, KBC announced the campaign to all employees and informed essential stakeholders upfront like the helpdesk and management. Krinos created an instant learning page for the phishing victims and prepared the debriefing message that was sent to all employees shortly after each phishing mail.
“We were instantly on the same page with Krinos. Thanks to the thorough preparation and experience of Krinos, the phishing simulations themselves went really smooth. Learning people to detect and respond to cyber attacks demands a change in human behaviour. We managed to establish and measure this change in our organization by combining subsequent simulations with simple training initiatives and positive communication.”
explains Dominiek Christiaens, Information Risk Officer at KBC Group and responsible for user awareness across KBC.
Phishing 16.500+ employees across 13 different entities poses several challenges
An email phishing simulation on the scale of KBC Belgium poses several challenges. The first challenge is to get the email into each mailbox, as the security technologies already in place to protect the organization, will typically block some of the simulated phishing emails. Another challenge is to be able to respond to the high volume of reactions on the simulations.
“By working with Krinos Academy, KBC Belgium was able to quickly tackle the challenges of a phishing campaign of this scale. Moreover, they helped us to define clear objectives and measure the Return of Investment (ROI) of our awareness campaign. Because of Krinos’ end-to-end managed service the campaign could startup very quick without the need to buy tools or train internal people. The reporting provided by Krinos was directly used to inform management about the ongoing campaign”
says Jan Nys, Chief Risk Officer ICT & Information Security, KBC Group.
Krinos is a Belgian consulting company, specialized in cyber security awareness. To build awareness in any organization Krinos follows an Attack-Train-Measure approach. Krinos offers end-to-end managed email phishing campaigns starting from a one-off baseline phish to yearly advanced campaigns. Additionally Krinos offers a set of short interactive online training courses useful for all employees hosted in Krinos eLearning platform. Combining simulated phishing attacks with easy accessible training in a yearly campaign gives good and cost-effective results for awareness and behavioural change of all staff. Other attacks, managed by Krinos, that build awareness for staff, ICT and management are: USB drops, realistic penetration testing and voice phishing.