KnowBe4 decreases risk of phishing attacks from 32% to 7% at SIG

KnowBe4 decreases risk of phishing attacks from 32% to 7% at SIG

Access to, and the use of data, is a strong contributor to a company’s business strategy and it was this that increased the need for SIG to ramp up its protection from potential cyberattacks. Carl Baron, Chief Information Security Officer, SIG, tells us how KnowBe4‘s solution helped it to improve its cybersecurity posture.

SIG plc. is a leading wholesale distributor of building materials in Europe, particularly insulation and interiors, roofing, as well as exteriors and air handling. Founded in 1957 as a single site insulation distribution business from the inside of a converted ice cream van in Sheffield, the company has made several acquisitions over the course of 63 years, allowing it to become the powerhouse it is today. Indeed, they have around 9,000 employees dispersed across 585 branches in the United Kingdom, Ireland and mainland Europe.

Challenge

In an effort to maintain its prominent role in the construction industry, SIG has the primary goal of advancing its operational and financial performance within three primary areas: customer service; customer value; and operational efficiency. However, to achieve this, it depends upon key ‘strategic enablers’. This includes investing in technology and systems to better understand customers and products, while simultaneously becoming more efficient. It also means greater investment into data management because access to, and the use of data, is the bedrock behind the realisation of the company strategy. With this growing importance in technology and data, it became increasingly vital that SIG was protected from a cyberattack. Indeed, one of the main challenges the company faces lies in its final ‘strategic enabler’: the talent.

SIG, like any company, relies on its dedicated and talented employees. Regrettably, it is well-established that employees also act as the likely entry point for bad actors to infiltrate the organisation’s IT systems. One wrong click on a malicious link or phishing email poses a colossal risk to the organisation.

Solution

Fortunately, the board clearly understood the risks of phishing attacks and gave their Chief Information Security Officer, Carl Baron, the green light to take the necessary measures to improve the company’s cybersecurity. In his plan, security awareness was made a priority. While Baron had worked with other vendors in the past, he ultimately elected to go with the services offered by KnowBe4. This includes security awareness training as well as a simulated phishing platform.

Unlike many other security awareness providers, KnowBe4 stood out as the best contender because it treated SIG as a valued partner. KnowBe4 listened to every one of Baron’s concerns and tailored the ideal plan for SIG.

Knowing that SIG’s employees would not respond with much enthusiasm to a repetitive course, KnowBe4 overcame this with a dynamic and inspired training plan built from multiple creative houses. It also ensured that each training module lasted no longer than 10-15 minutes, which helped to maintain employee engagement. Moreover, the content was offered in a range of languages which complimented SIG’s multinational nature. In this way, Baron was essentially offered a buffet of choices which he could choose from to create the most appropriate training plan for each geographical area of the business. Baron was pleasantly surprised to find that KnowBe4’s price point was very competitive.

Implementation

The implementation of KnowBe4’s training programme was as easy as Baron’s decision to take it on as SIG’s security awareness provider. It is installed as a platform from which he can prescribe various training modules to employees on a regular basis as well as conduct simulated phishing tests on them. In addition, he receives monthly reports tracking progress among employees. This allows Baron to demonstrate to board members, with measurable results, the improvements he has made to SIG’s overall security hygiene.

Results

The results for SIG since the implementation have been phenomenal. While the first round of tests revealed that nearly one-third of the company (32%) was prone to falling for phishing attempts, since using the platform that number has been drastically reduced to just 7%. This makes Baron’s goal to reduce the percentage to 4% this year very achievable. After all, as this percentage drops, the business undoubtably becomes safer from cyberattacks.

Baron has also been able to prove the value derived from the platform through monthly measurements and metric reports which cite the number of people who have been trained, which specific campaigns have been completed, the number of people who have been phished as well as how many are susceptible to being phished. With these statistics, he can then continue to tweak and customise the content he selects for the next month’s training. All while resting assured that the multi-language content would operate easily in the respective geographical regions and respect various privacy regulations. If, however, he ran into any complications, the KnowBe4 team was quick to provide support, of which Baron asserts is ‘second to none’.

We caught up with Carl Baron, CISO, SIG, to discover more about the solution and how it has provided an abundance of benefits for SIG’s operations.

How do you ensure that SIG can consistently operate with a robust cybersecurity approach?

From an awareness perspective, I have tried to move SIG away from powerpoint-based training and the ‘click next’ approach. At the beginning of COVID, I created a beta test group for KnowBe4 content, using the Inside Man on a bi-weekly basis to provide consistent training materials that almost make employees forget that it’s training. The response was phenomenal. The Netflix-style episodes are engaging and aren’t burdensome to complete. We really used COVID as an opportunity to train people while operations were stopped due to the pandemic, even with people on furlough, as we were still allowed to provide training. It’s not overwhelming and we can provide other training through Restricted Intelligence videos intermittently – a format that has really worked for us.

What are some of the cybersecurity challenges facing the construction industry and how are these being combatted?

As an industry, we are not used to this kind of remote working at such a large scale, so that was the biggest challenge. In fact, as far as Business Continuity plans go, this wasn’t even part of the equation, as it wasn’t for many companies. We needed to quickly ramp up equipment and make sure that any working employee had access to a company device; and where they wanted to access information on a personal device, we quickly deployed MFA to allow for this. Another way we could make sure everyone felt connected and supported was through the use of Microsoft Teams – not only from a security awareness perspective, but also from a personal one. It helped us communicate to employees how to work remotely and created a sense of togetherness.

How has KnowBe4’s tailored solution helped SIG to achieve great results?

We’ve used the feedback capability through the KnowBe4 platform to gauge how well it has been working and the response has been positive. We made the decision to release episodes of the Inside Man every two weeks, but employees have requested them sooner – it has really improved security awareness culture and the perception of security training in our business. In fact, our learning and development team can see the benefit of this kind of training and is in talks with Twist & Shout (a KnowBe4 company) to enhance their own initiatives. So, it has been a catalyst in other areas of our business outside of IT and cyber.

What long-term benefits do you predict for the future as a result of the implementation?

The pandemic has brought on the need for remote working at scale and with it, the need for security awareness increases. We’ve recently also purchased the PhishER and PhishRIP services from KnowBe4 that empower people to help themselves and report phishing emails easier. But not only is it easier from a reporting perspective, there are also communications back to the employee that thank them for recognising suspicious messages. It’s about positive reinforcement. With the breadth and choice of different training materials, we’ve completely changed our awareness programme and it means we can train people more regularly (rather than annually or boring tick box exercises). This constant reinforcement is really powerful.

How would you summarise the overall experience with KnowBe4?

I am a huge fan. The platform continuously evolves and the content is amazing. Even issues I may have had with it in the past have now been addressed in development or are being addressed. The support from Knowbe4 is amazing and the relationship we have operates more like a partnership, which is what I would love to see with all of my other cybersecurity suppliers. After all, we’re all working towards the same goal.

Browse our latest issue

Intelligent CISO

View Magazine Archive