In a defining moment, Microsoft employees did the right thing.
Ken Sexsmith recalls waiting quietly outside a conference room for a meeting about a new approach for promoting the annual security training at Microsoft. Earlier that day, his team, which is responsible for enterprise-wide digital security education, training, and awareness, was running a company-wide phishing simulation. While waiting for his meeting, Sexsmith overheard some employees questioning the validity of the phishing email.
One of them recalled a recent training and said, “Maybe we need to report it?”
“It was a lightbulb moment,” says Sexsmith, director of Security Education and Awareness in Core Services Engineering and Operations (CSEO). “It was so encouraging to see how employees started talking about the email and knew precisely what to do. It was a highlight of our year.”
Getting to the point where employees recognize phishing emails did not occur overnight. Although Microsoft’s sophisticated anti-phishing technology helps protect customers and employees from targeted phishing campaigns, Microsoft employees still need to stay one step ahead of evolving security threats. To help them get there, Sexsmith set out to change how employees think and learn about security.
“We are on the frontlines of driving digital transformation through behavior and culture change,” says Sexsmith, who says lessons Microsoft learns internally are shared externally with the company’s customers.
Sexsmith’s team wants to start a movement where everyone wants to be a part of the company’s security story; their goal is to make security personal and change ingrained behaviors.
“We had to win over the hearts and minds of employees,” Sexsmith says. “We had to flip traditional compliance training on its head to make security more engaging, relatable, and fun, but also emphasize the importance of employees using best practices and being responsible for security.”
Employees seeking out new security training
Sexsmith’s team created an engaging, interactive Security Foundations training that uses real-life examples of security threats that have affected Microsoft employees and teams. The training also features a local well-known actor and podcast host that employees can relate to. In its first year, nearly 63 percent of employees across the company took the training. Some employees thought the training was so great that they asked if they could share it with their family and friends.
“A lot of effort and energy was put into making training a more enjoyable experience while helping people not only build the proper skills, but retain the skills they learned,” says Erin Csonaki, an education and awareness program manager in CSEO who runs enterprise-wide training.
Coupled with phishing simulations and ongoing digital campaigns that highlight the digital security team’s strategy to keep the company and its data safe, the training helps employees learn about security risks and build skills that they can apply on a day-to-day basis.
Proof that it’s working? The once-optional Security Foundations training is now required for all Microsoft employees. The revamped training received an extremely positive response from employees and even won an external Telly Award.
“Because we had favorable feedback, we’ve gained credibility and can continue to push the envelope around the way we launch training this year,” Csonaki says.
Whether the team is running a highly technical training for engineers or an awareness campaign for Cybersecurity Awareness Month, Csonaki says that it’s important to communicate the relevance of this training in their day-to-day work. For example, the Security Foundations training emphasizes never letting your guard down when handling email, posting on social media, or connecting to a public wireless network.
“A key for us is making it personal,” Sexsmith says. “The same things you do at home to secure your family are the same things you do at Microsoft. Your technology is vulnerable, and it only takes one minute for someone to take control of your device.”
Reinforcing learning year-round
Along with trainings, the team creates employee awareness about what phishing and other security threats could look like and provides guidance on how employees should respond. For example, Sexsmith’s team creates phishing simulations that are based on real, previously reported incidents.
Blythe Price, an education and awareness program manager on Sexsmith’s team, is responsible for the Phishing Education and Awareness program, which exposes employees to the experience of being phished and provides prevention education and reporting guidance.
“If an employee falls for the simulation and enters data or opens an attachment, an education moment is served up,” Price says. “This reinforces the best practices for spotting phishing, which is discussed in the Security Foundations training.”
The phishing scenario also teaches employees how to respond to security risks using the “Report Message” button in Outlook or in Microsoft’s internal security reporting channel.
“If it’s not quick and easy to report, a user may decide it’s not worth their time and abandon ship,” Price says. “You also have to make sure that the reporting mechanisms are where they are meant to be, whether it’s on a desktop or mobile browser.”
Learning moments from simulations and trainings are reinforced through ongoing awareness campaigns that align with events like National Cybersecurity Awareness Month or certain holidays. This ensures that the conversation about security is front and center for employees.
“You don’t have to know everything,” Sexsmith says. “You just have to know when to pause before entering your credentials and ask, ‘Am I moving too fast?’ That’s the change that we’re driving.”
Understanding the culture of an organization
For other teams or organizations interested in changing the way they approach security training, Price suggests evaluating what resonates with employees and adjusting accordingly. Price also attributes her team’s success to their emphasis on the “why” behind each training or awareness campaign. This has helped employees understand the importance of their participation.
“Instead of snapping to a model, it’s important to know the culture,” Price says. “Don’t be afraid to take chances if something isn’t working.”
Regardless of how you educate employees about security, it should be a two-way dialogue.
“It can be challenging, but it’s also a good opportunity to listen to what’s resonating with employees, and balance it with what’s needed from a security perspective,” Price says.
Sexsmith knows that his team’s approach to security training and awareness can’t rest on its laurels.
“I have a vision of continued evolution,” Sexsmith says. “I often challenge people to think differently, and that’s what got us here.”