Traveloka Information Security Awareness Program

Photo by Roman Kraft on Unsplash

Editor’s Note: Building an information security awareness program is an art that requires the right balance of not only a complete understanding of information security policy, regulation, & technical aspects, but also a careful consideration of the human aspect & culture.

Johaness would like to share that journey he and his team took to design & implement an effective information security awareness program that established a cybersecurity culture, where employees, as the first line of defense, are better equipped to recognize / respond accordingly & ultimately, enhance Traveloka’s information security overall posture.

Johaness is Governance, Risk Management, & Compliance (GRC) Lead with the Information Security team, whose responsibilities include, but not limited to, managing the team that develops cybersecurity policy to ensure Traveloka’s activities are aligned to achieve business goals & comply with applicable laws as well as regulations requirements.

Introduction

Information Security Awareness Program plays a vital role in establishing a good information security culture in an organization. Designing an effective information security awareness program that can change user behavior (for the better) and reinforce solid security practices requires a thorough understanding of the organization’s environment. On top of it, management support is essential to ensure the successful implementation of the program. Let me share how Traveloka designs its Information Security Awareness Program and what are the key components to ensure its effectiveness.

The Importance of Information Security Awareness

Information Security Awareness, which is often overlooked by many organizations, can bring a huge benefit to employees. Not only as an individual professional in the workplace such as a security administrator, who manages servers and firewalls or a product manager, who develops marketing strategy for the organization, but also as a home user, who often receives telemarketing loan offers or as simple as manages a Netflix account. The growing use of personal data and digital assets have made managing information security to be even more challenging.

Employees who use an organization’s resources are often targeted because they usually have access to sensitive data, credentials, and other information that could be used to cause serious damage to the organization. Employees are also highly susceptible as the techniques used by adversaries are getting more sophisticated. For example, social engineering techniques such as phishing, scamming, and pretexting exploit human nature in order to deceitfully gain sensitive information or access to an organization. Despite the organization’s effort and investment on the technical solution to mitigate these malicious activities, it will not be truly effective without an embedded culture of information security awareness.

According to 2022 Verizon Data Breach Investigations Report (DBIR),

82% of data breaches logged in 2021 involved a “human element” such as falling for phishing, re-use of stolen credentials, insider malfeasance or simply causing a configuration error.

The report highlighted the ever importance of having Information security awareness organizationally. Building a robust Information security culture is crucial to ensure that employees possess sufficient knowledge and skill to adapt to the constantly changing threat landscape in order to protect themselves, and ultimately, the organization.

Building an Effective Information Security Awareness Program

Before diving into how Traveloka designed its Information Security Awareness Program, let us discuss what constitute an effective Information Security Awareness Program

According to Hueca et al. (2021), the primary focus of the Information Security Awareness Program is to

• Inform the employee of information security risk.
• Make them aware of common fraud and information security policy with the purpose to influence employee behavior.
• Guide the employee in making the right decisions.
• Improve skills and knowledge to identify common threats.

NIST SP 800–50, Building an Information Technology Security Awareness and Training Program as cited by Hueca et al (2021) outlined several aspects or elements of successful Information Security Awareness Programs:

• Establishing an information technology security policy that reflects business needs and addresses known risks.
• Informing users of their responsibilities.
• Identifying recurring processes for monitoring and reviewing the program.

In addition, Hueca et al (2021), also mentioned several components as best practices that information security awareness program should have:

• Leadership involvement: Senior leadership should support the awareness program; users will be aware of senior leadership involvement and will react accordingly.
• Persistence: For an awareness program, the best practice is to build a year-long plan with specific learning milestones throughout the year.
• Relevance: Cybersecurity awareness programs should be relevant to the users and their day-to-day tasks.
• Immediate feedback: Providing hands-on training reinforces awareness activities covered in the campaign or program.
• Assessments: To determine any required adjustment, you need to understand where the program starts and how it progresses over time. Using identified metrics will help determine adjustments that need to be made.

Information Security Awareness Program in Traveloka

Traveloka’s Information Security Awareness Program comprises 5 campaign categories:

1. New Joiners Awareness Campaign

We realize that not all new joiners have the same level of information security awareness maturity. Unfamiliarity of the new environment and culture might lead new joiners to be vulnerable and easy targets for the adversaries. The campaign proactively lays a foundation and establishes a baseline by introducing and building the information security culture as early as possible for new joiners. . It focuses on the information security policy, standard and procedures, socialization of employee responsibilities and expected behavior, as well as best practices and resources that they can utilize in times of crisis.

2. Compliance-Focused Awareness Campaign

The campaign is created to meet the law, regulation, and/or compliance requirements related to information security awareness activities that Traveloka must undertake.

3. Advanced Training Campaign

The campaign is created to go beyond just an annual awareness and training. Not only does It focus on promoting awareness and behavior changes, but it also aims to improve the awareness maturity level and strengthen organizational security. The materials are specifically catered to each Traveloka team’s need to ensure the employees could have the relevant and needed information security skills and competencies to respond and adapt to the constantly changing threat landscape.

4. Phishing Awareness Campaign

Recognizing from the Verizon DBIR above, that Business Email Compromise (BEC) including phishing and pretexting attacks are the top contributors of social engineering pattern, which involves humans, the campaign is created to raise the awareness of phishing threats and educate the employees how to protect themselves and the organization from BEC. The campaign consists of two activities:

• Phishing Simulation that simulates real and recent phishing trends.
• Training on how to recognize, avoid and report these attacks.

The phishing awareness campaign in Traveloka adopts the blameless culture to reduce or prevent the repercussions of guilt. Instead of naming and shaming, the victim is instead privately enrolled into a remediation training.

5. Non-Mandatory Awareness Campaign

This campaign is created as an addition to our information security awareness program to accommodate employees who are eager to have more information security awareness and training materials.

Additionally, in the effort to ensure that Traveloka Information Security Awareness Program is effective, there are five applied rules of thumbs with the following aspects:

1. Management Support
   The paramount aspect of building an information security culture is to obtain the support from management, leadership, or someone with vested authority to support the Information Security Awareness Program. Without the support, the Information Security Awareness campaign will less likely get prioritized, considering employee’s busy schedules such as bug fixing and releasing new features into production. In Traveloka, Information Security Awareness Program is endorsed and supported by the C-suite to ensure that the awareness and training are taken seriously by all employees. This creates a huge impact in ensuring the information security culture prevails.
2. Delivery Method
   Instead of relying only on traditional methods of delivering information security awareness through classrooms, email blasts, posters, or computer screensavers / wallpapers, which have been proven ineffective (i.e, often ignored), Traveloka uses Learning Management System (LMS) platform to extend its information security awareness content to employees.
   We provide various types of information security awareness content to our employees such as video-, game-, or simulation-based. The LMS helps us to promote the information security awareness content effectively and efficiently, especially during the pandemic, with the following four benefits:
   — Employees can complete the training at their own paces.
   — No need to worry about how to fit classroom training sessions into participants’ busy schedules, nor the resources to conduct multiple sessions.
   — Assessment, attendance and training progress data can be stored and tracked in LMS.
   — Feedback to the information security awareness program can also be collected in LMS (depending on the platform).
3. Awareness or Training Duration
   The topic and content of the information security awareness program is curated to ensure that employees are not overwhelmed by excessive learning materials. Total learning duration is also chunked over multiple sessions without hindering the outcome of the awareness or training. Average information security awareness campaign in Traveloka is 30–45mins per semester.
4. Relevant Materials
   As each campaign has a different scope and objective, which is specifically catered to the target audience, each department and position level will be provided with different materials which are defined by a risk-based approach. For example, engineers and finance teams will have advanced training on how to build secure software and how to spot a BEC respectively.
5. Continuous Improvement
   The content quality, relevancy, freshness, and duration of the information security awareness program are reviewed at least annually. Feedback from the employees is crucial and taken seriously as a data point of improvement to ensure that the information security awareness program continues to evolve effectively.

In a nutshell, building an information security awareness program is an art which requires the right balance of not only a complete understanding of information security policy, regulation and its technical aspects but also a careful consideration of the human aspect and culture. Hueca et al (2021) outlined the Information Security Awareness Program, if designed and implemented effectively, could establish an information security culture where employees as the first line of defense are able to recognize and respond accordingly and may ultimately enhance the organization’s information security overall posture.

If you find this topic interesting and would like to be part of our team to build more exciting information security initiatives and programs for Southeast Asia’s lifestyle superapp. Explore available career opportunities and join us at Traveloka.