Leading telecommunications company Celcom counted itself lucky not to have experienced a major cyberattack, but it had concerns about the evolving threat landscape and phishing emails. Knowing that corporate security is only as strong as the least-informed user, Celcom set out to change its culture through a strong awareness and training program. Since launching Attack simulation training in Microsoft Defender for Office 365, the company has saved 70 percent of the time it used to spend on creating simulations manually.
“We have a highly effective and productivity-enhancing tool with Attack simulation training in Microsoft Defender for Office 365. I can’t emphasize enough how important the ease of use and reporting capabilities are to helping us keep Celcom safe.”
Muhammad Muslim Mansor, Head of Cyber Threat and Incident Management, Celcom
Celcom is proud of its innovation. An early entry to the mobile telecommunications (telco) market in Malaysia, the company continues to explore new technologies so that it can delight its customers with inventive solutions. But the company knows that cybercriminals are just as driven. Proactively preparing to counter an evolving threat landscape, Celcom focused on its biggest asset—its employees. It uses Attack simulation training in Defender for Office 365, a feature of Microsoft Defender for Office 365, to bring awareness to a diverse employee group without taxing its busy IT teams. After all, they have exciting technologies to develop.
Sharing is caring—and empowering—for a telco powerhouse
Celcom is the Malaysian arm of the Axiata Group Berhad (Axiata), a multinational telecommunications conglomerate with a broad Asian reach. Throughout the Axiata family of subsidiaries—Celcom counterparts in Indonesia, Sri Lanka, Cambodia, Nepal, and Singapore—technology is a common, unifying language. Axiata doesn’t dictate technology choices to its subsidiaries—it encourages using the best options for each region. But Axiata companies do collaborate on non-negotiable matters, like their cybersecurity strategy. “We’ve improved on our original cybersecurity strategy for the entire group of Axiata companies, extending it to become our standard for digital trust and resilience for 2023,” explains Muhammad Muslim Mansor, Head of Cyber Threat and Incident Management at Celcom. “We’ve clearly defined what we want to achieve, but Axiata doesn't limit us to a pre-chosen vendor or solution. Instead, we share our experiences with the technologies we deploy.”
Celcom is proud of its role as an influencer in that group. When it migrated from its existing extended detection and response (XDR) solution to Microsoft Security solutions, particularly Microsoft Defender for Identity and other Defender solutions, the rest of the group noticed. Now, parent company Axiata and one of its other subsidiaries, Edotco, use the solution.
Focusing on understanding user behavior
Zondin Shamsudin, Head of Information Security Governance, Risk, and Compliance at Celcom, knows that the effectiveness of even the most stellar technology is tempered by the people using it. “Human behavior is one of the things we worry about the most,” he says. “How to spread awareness about cybersecurity issues is one of our biggest concerns, especially with our diverse user group—everyone from truck drivers to technology experts.”
Zondin worries about the rise of social engineering, especially phishing attacks, a rapidly increasing and evolving threat. Attachments are a more common feature of phishing emails, and those emails are constantly more sophisticated, with attackers now trying to press beyond email to infect collaborative tools, like Microsoft Teams. Some users are particularly vulnerable to phishing emails, he notes. Even with the best of intentions, people are more likely to suspend their usual caution and click through emails when they’re in a rush—whether they’re in a hurry to leave work behind on a Friday, feeling overwhelmed by a backlog of email on a Monday morning, or catching up after a vacation.
Muslim deals with the other side of the question. Illustrating the magnitude of phishing threats to management is difficult when no actual incident has occurred. The Celcom Cyber Security team knew that the key to reducing social engineering risk lies in bringing awareness to users with a simulation that would also provide data to track and report progress. It investigated several attack simulation solutions, but none of the candidates offered the seamlessness and ease the team wanted. Many required technical knowledge and time to develop the payload—the content of the faux phishing email. They also wanted to easily customize simulated attacks. Faster payload development means faster simulation launch, and thus the ability to launch more simulations.
Enjoying the heightened productivity of a connected Microsoft landscape
When Microsoft offered the Celcom Cyber Security team the opportunity to trial Attack simulation training as a private preview, they eagerly accepted. After all, Celcom already uses Microsoft 365 and Microsoft 365 Defender, and it gets valuable information from the “report phishing” email feature in Microsoft Outlook. “The ‘report phishing’ email feature in Outlook is excellent,” says Zondin. “It’s another example of Microsoft interoperability, and as awareness grows through attack simulation training, people use it more and more, which enhances our ability to safeguard endpoints.”
Having used competing XDR solutions, like Carbon Black and CrowdStrike, the Celcom team preferred the coverage provided by Microsoft Security solutions. “We appreciate the inclusive coverage Microsoft Security solutions provide,” says Muslim. “We automate our detection and response capabilities with the flexibility and machine learning behind these applications to tag and highlight true and false positives. That improves protection while also increasing our productivity.”
The team also uses Microsoft Defender for Endpoint and Azure Active Directory for endpoint and identity/access management respectively, adding Microsoft Intune in Microsoft Endpoint Manager to cover mobile device management. Finding an attack simulation solution that could seamlessly fit with that infrastructure was like sliding a final puzzle piece into place.
For Muslim, the value of interoperability can’t be overstated. “We get a lot of benefit from the machine learning behind the Microsoft Security solutions because we can work very flexibly,” he says. “Because we can actually tag and highlight examples of accurate versus false positive flags, we can automate a great deal of our detection and response function.”
Creating a culture of care
In one year, the Celcom team has been rewarded by a dramatic drop in phishing vulnerability. “A lot of people were caught by our initial phishing simulations,” says Zondin. “In the year since implementing Attack simulation training in Microsoft Defender for Office 365, the incidence of clicking on phishing links reduced by 9 percent.” He finds that Celcom workers now routinely share information about phishing and use the Outlook “report phishing” feature to both keep his team informed, and to add to the company’s trove of phishing attack intelligence. “The Outlook ‘report phishing’ email feature is excellent,” he adds. “That’s another way that we get the capabilities we need all integrated in one neat package.”
Darweena Mohamad Shari, Information Security Governance, is the face of cybersecurity training at Celcom. The ease of use in administering Attack simulation training makes her life easier—and more productive. “Anyone from our team can use Attack simulation training to create their own custom payload to test for the threat of the moment,” she says. “The reporting gives us a clear picture of staff awareness, and we’ve seen strong improvement. Most importantly, staff proactively reach out to me to check on suspicious emails.” That ease of use means more simulations—and heightened awareness. “We can do many more phishing attack simulations because this tool is so easy to use,” says Zondin. “We’ve gone from two in our first year to more than five this year. We plan to launch simulations every two months.” Because reporting is so simple, Celcom keeps top management better informed for en pointe decision making.
That’s good news for Muslim on every front. “Prior to using Attack simulation training, we had to deploy one of our highly skilled technical staff to develop and test the payload,” he says. “We’ve decreased the time our staff spend on simulation development by 70 percent. Now, nontechnical people can manage the entire process and our technical staff can spend their time on innovation.” He adds that his team previously had to turn some of Celcom’s defensive systems off briefly so that the fake phish could pass through—because they would block it otherwise, which of course defeats the purpose.
As social engineering relentlessly evolves, the team appreciates the ability to engineer their own phishing simulations to keep up. Developments like “whaling”—the targeting of a specific senior member by a cybercriminal pretending to be a peer in order to gain trust, then asking for sensitive information—continue to blight the digital world. “We have a highly effective and productivity-enhancing tool with Attack simulation training in Microsoft Defender for Office 365,” says Muslim. “I can’t emphasize enough how important the ease of use and reporting capabilities are to helping us keep Celcom safe.”
Find out more about Celcom on Twitter, Facebook, and LinkedIn.
“In the year since implementing Attack simulation training in Microsoft Defender for Office 365, the incidence of clicking on phishing links reduced by 9 percent.”
Zondin Shamsudin, Head of Information Security Governance, Risk, and Compliance, Celcom
Follow Microsoft