OpenClassrooms’ CyberSecurity Month, or how we managed to make Security fun and accessible to everyone
In OpenClassrooms, over the past year, important investments have been done to reinforce the Security and Privacy aspect of the company. Our approach is to make Security and Privacy accessible (like our company’s mission is to “make education accessible”).
We decided to organize a first edition of the CyberSecurity Month. The company grew a lot, and it was the opportunity to involve more people around Security.
You will find below what we have done, some lessons learned (and of course some fun gifs ;-))
Let’s build a plan
In OpenClassrooms, we position the Security and Privacy topics as followed:
- A topic accessible to everyone
- Something fun
- Your best friends when you have troubles to deal with (or that you are anticipating)
So the CyberSecurity Month had to be aligned with these principles
In addition, for this 1st edition, we put ourselves the following constraints:
- Everything organized must come on top of what we are doing normally. However we should be able to push contents we produced
- Everything was on voluntary basis, aka we did not force anyone to participate. However communication had to be done to everyone
- Everything has to be disruptive / different from what we were doing, and innovative in the way to learn
With that in mind, we started to explore and set the project up. At the end our project looked like this:
A well managed communication (and some gifs)
Communication is a key aspect of the role of the Security team. If you don’t communicate internally or you send wrong messages, team members will not involve you in their activities and will try to bypass you.
With that in mind, we adopted the following communication methods:
- Launch communication in a global meeting with the full company (5 minutes)
- Weekly communication in #general Slack channel
- All communications must be:
- Light
- Have a funny aspect, but related to a topic we want to communicate about
- Refer to an existing work we have done
At the end the weekly post looked like this:
Fun & collaborative activities internally
We did not do everything by ourselves 😅. We relied also on external parties we were really lucky to meet and that managed to transform this initiative into a real success.
CyberSensible (now called “Brain Security”)
We met CyberSensible early in May 2022. This is a small and quite young company, but they appeared to have a disruptive product close to our communication positioning.
🎃 CyberSensible (now called “Brain Security”) is a “gaming” platform that will allow you level up your Security skills using memes, gifs, movie scenes, etc. Your progression will make you learn key Security elements, attack technics and you will even be able to battle against a 🦹♀️ real-life hacker 🦹♀️
We found it perfect for a “background” standalone activity. It takes around 2 to 3 hours to complete it, with additional interesting materials for those who wants to deep dive. It covers all generic Security & Privacy topics (password, malware, data protection, etc.).
Trailer here: https://drive.google.com/file/d/1elq8Zltyk9NGpzwSf7DnWVb3zCJxa7g3/view?usp=sharing
Website: https://www.brainsecurity.io/fr/index.html
Cyberwargame
We met CyberWargame at the FIC 2022. We heard already about it previously, but it was the good opportunity to meet them and try their board game. They recently released an online version, which was great in the context of a remote-first company.
🎃 Cyberwargame is an online board game that will allow you to play with your teammates. 4 players are required: 2 will play the 🦹♀️ attackers 🦹♀️ (our nasty hackers in real life) and 2 will play the 🦸♀️ defenders 🦸♀️ (the Security team ❤️ in real life). Objective is to perform successful attacks for the attackers, and to prevent the attacks from happening for the defenders
We found it perfect for a “community” activity with 4 random players. It takes between 30 to 45 minutes to complete a game. It demystifies enterprise key assets, common vulnerabilities, basic attack technics and protection mechanisms.
Website: https://www.cyber-wargame.com/
Leverage our community to train tech population
Members of OpenClassrooms Security team are members of the SecAtScale community, a group of Security teams from French Startups and Scaleups. An initiative set up by Pigment was to organise a cross company CTF (Capture The Flag) using the Malice platform from Sysdream, mostly oriented to Tech population. The event happened during 1 full day on the 20th of October 2022, followed by a Social event.
Participating companies were: Pigment, Dailymotion, Upflow, Teads and OpenClassrooms.
We found this initiative interesting, even if we had no widespread CTF culture among our tech population. As we wanted it to be on voluntary basis only and October is quite an intense month in terms of workload for OpenClassrooms, we had only 6 participants at the end (who were quite happy with the activity).
Websites:
Be innovative as well in your recurring activities, like the fake-phishing one
In addition to all these new activities, we increased the level of difficulty of our recurring fake phishing campaign.
The objective was to phish people too confident with detecting fake phishing attempts.
The timing was good, as our fake phishing tool, MailInBlack, had just released additional features we were able to try 👻
What are the results at the end?
Our results were as follow:
- CyberSensible: 92 users (17%), with 31% of global progress
- CyberWargame: 10 games, 38 players, Hackers won 7 times, Defenders only 3 times
- Frenchtech CTF: 6 players, 6 challenges resolved (over 15), good satisfaction level overall
Global satisfaction was as follow:
- 67% were globally satisfied by our initiative
- 25% were neutral
- 8% were unsatisfied
And we received very kind feedbacks
In a nutshell we are really happy with the experience and how it was managed. We spent low effort on this initiative (that was more built on opportunity basis than a real project planned in our roadmap).
It allowed us to make Security and Privacy definitely fun and accessible, and hopefully improved the level of awareness of our team members.
Only the CTF activity would require improvement, in terms of preparation and better involvement from our tech team.
For next year, we will definitely re-do a similar initiative. Improvements would be to target people we have difficulties to involve in awareness sessions and increase accessibility.
I hope this article gave you some ideas!
