bp bolsters its threat resilience with Microsoft Defender for Office 365

bp is reimagining energy, shifting from being an international oil company to an integrated energy company, and aiming to be net zero by 2050 or sooner. Protecting intellectual property and securing data and digital and operational infrastructure against malicious actors and attacks that could derail the company’s transformation journey is a top priority. 

Digital security, a “core part of everyone’s role”

bp values the importance of user behavior training and ethical phishing in optimizing its security. Its goal is to support employees and help them better recognize malicious threats and phishing attempts using technology and best security practices that help improve its overall security awareness. 

“To reimagine energy, we also need to reimagine digital technology because it underpins everything we do. We’re driving digital and innovation, enabling bp and its customers to thrive in the energy transition to net zero,” says Ritesh Patel, Security Principal at bp. “Digital security is more than just IT. It must be the core part of everyone’s role.” 

The company’s process of creating and maintaining phishing campaigns was cumbersome and time-consuming. The security team used a third-party solution for its ethical phishing program. However, it wasn’t automatically gathering, analyzing, and sharing attack simulation data due to a lack of integration with bp’s security and operations systems. Data regarding which employees clicked on tests was collected manually and uploaded into SharePoint or emailed to security teams to process and help to strategize improvements. 

bp wanted an automated service that could provide attack simulation testing and training on demand and more frequently. “We don’t like to just send out tests. We want users to know what to do and look for instinctively and how to respond to the situation,” says R. Patel. 

To strengthen its security and protect critical data and infrastructure, bp sought collaborative technology partners to help the company design more robust security capabilities. bp worked with Microsoft Security to test and offer feedback and feature requests to enhance attack simulation training in Microsoft Defender for Office 365 and solve its enterprise-scale needs. 

The company now has a more straightforward, more automated testing process. After adopting attack simulation training, bp streamlined its ethical phishing capabilities and its testing and reporting process. Previously, bp would conduct about four ethical phishing campaigns a year. Now, one security engineering specialist handles most of the effort, sending two automated attack simulations per month to around 75,000 employees. “Through Defender for Office 365, we get the attack simulation training capabilities and reporting tools all in a single platform,” says R. Patel. 

Design-informed partnership 

Attack simulation training in Defender for Office 365 combines bp’s expertise, attack simulation data from testing thousands of enterprise employees, and design-driven security engineering principles at Microsoft. 

bp worked closely with Microsoft in the early attack simulation training deployment stages and later became a design partner, recommending key functionality for improvements. The company experienced the limited number of email and landing page templates and provided Microsoft with the feedback needed to improve the solution. 

Now, the bp security team has more customizable email templates and landing pages for compromised employees, which bp can add and design to represent real-world threats and current events. The team also requested an increase in the number of days an attack simulation would run (from 7 days to 30 days). 

Says Chandni Patel, Information Security Engineering Specialist at bp, “It’s nice that bp and Microsoft have this collaborative relationship where we can challenge each other’s ideas to improve the attack simulation training capability and the ethical phishing campaign process at bp.” 

Now, bp can use various phishing templates provided by Microsoft or customize attack simulations using content and context that offers users more realistic training scenarios that accurately reflect real-world threats. It can automate attack payloads to launch and replay simulations with less manual work and complexity. 

“Using Defender for Office 365 makes it easier to create attack simulations,” says C. Patel. “The number of globally relevant topics for payloads is great, and the fact that we can customize payloads from the attack simulation training templates makes the configuration process much easier.” 

Changing culture with positive reinforcement indicators 

bp’s security strategy emphasizes improving security awareness and training employees as the company’s first line of defense. It does this by reinforcing positive security practices. 

“One of the essential benefits of using attack simulation training is the learning component for users,” says R. Patel. “User education is critical for bp. Every employee contributes to a team, as well as a personal, cyber barometer score based on the output from Defender for Office 365.” 

The cyber barometer score dashboard created by bp displays behavioral metrics for bp’s core information security rules. The company uses this as a digital indicator of trends in overall security behavior and awareness by employees, teams, and organizations. bp converts its ethical phishing test results into key performance indicators that account for a portion of the cyber barometer score. It uses the score to reinforce positive user behavior and sets companywide targets to help improve behaviors tracked by the cyber barometer scores. 

When a bp employee successfully identifies and reports phishing attempts from the training set, attack simulation training automatically responds with an email within 5 to 10 minutes congratulating them and reinforcing phishing security awareness. Before, the security team had to do this manually. And they would send it at the end of the campaign, sometimes a week or more later, and miss the opportunity to immediately recognize behavior and reinforce security awareness. 

“We know from feedback that employees appreciate the real-time positive reinforcement feature in attack simulation training, and it is helping to embed learning from the tests and change behaviors,” says C. Patel. “We worked together with Microsoft to develop this core capability.” 

By taking a user-centric approach to designing, managing, and measuring performance with ethical phishing simulations, bp better prepares employees using tested security engineering and simulation techniques to mimic attacks. It can test security policies and practices and improve employee awareness about the risks of phishing and ransomware attacks. And bp can use attack simulation training to automate segments of employee training and awareness programs that reinforce security awareness best practices. 

“We can now take real attacks happening right now, de-weaponize them, and use these in attack simulation training to test against the latest phishing techniques,” says R. Patel. 

Simulate to stay ahead

bp considers attack simulation training in Defender for Office 365 a tool for its security operations, one that exemplifies its emphasis on solutions that help the company shift left on security. By partnering with Microsoft to help design better attack simulation software, bp created an agile feedback loop to develop better security awareness and quickly implement more robust security measures. 

“We need to be ahead of phishing strategies,” says R. Patel. “Our attack simulation training capabilities in Microsoft Defender for Office 365 enable us to do so.” 

Find out more about bp on Twitter, Facebook, and LinkedIn.