Learn why a 3x customer chose Curricula to power Webflow’s security culture.
Security awareness is not a one size fits all. You’ll have people in your organization who think they know it all from a security perspective, so you have to be able to turn it up a notch…
Working in a software-as-a-service (SaaS) organization can sometimes lead to a false sense of safety. Surrounded by engineers and technology pros, an employee might believe they have the best security possible simply from being around so much tech. However, even the people who are the most proficient in technology are also susceptible to cyber threats.
Kendra Cooley, Senior Information Security Manager at Webflow, knows this all too well from her experience. “Employees say ‘we’re secure, we don’t need training’ but so many people just don’t understand the level of risk they’re opening themselves—and the company—up to when they click something.”
Before starting to build a culture of security, it’s important to have a foundation on which to develop a security awareness training program. For Kendra, one of the first things she does when entering a new organization is to send out a phishing simulation to see how many employees might click the email or give up their credentials.
This data is important for Kendra to show her executive leadership team just how vulnerable the company was to a cyber attack, and that even the most talented individuals could fall victim to an email phishing scam.
That’s when I started looking for a new security awareness training company and ultimately what led to me using Curricula.
Knowing she wanted to do something different and would need more than the usual training content to engage her highly intelligent team members, Kendra opted to look for a fun security awareness program with a compelling story. That’s when she learned about Curricula, our animated episodes, and what it meant to ‘Defend Against DeeDee!’
Kendra said one of the things she personally fell in love with is how the Curricula team talked about ‘Curriculaville’. “I thought, ‘That’s so cute! Who wouldn’t want to participate in training like this?’” But she also wanted her team of tech-savvy pros to feel a level of investment in their cyber security training and recognized that giving them a voice was important in the decision-making process.
To get started, Kendra set up an initial pilot to share the world of Curricula with her fellow IT team members. She knew it was important to get their feedback. “Curricula’s content is enjoyable, even for IT to watch, as well as for other employees to learn. It was great to hear our engineers buy-in to the idea of ‘Defending Against DeeDee.’”
This is something we have to do from a compliance perspective, and it’s only 10 minutes of your time every month. We could at least make it entertaining. Who doesn’t like sitting down and watching a fun cartoon?
Some of the other feedback Kendra received from another pilot group included:
“Those videos presented the basics in an accessible way (prior knowledge or not). It was refreshing compared to just clicking through questions on a white screen.”
“Definitely a great system to get information across.”
“Those were really fun and informative! I plugged in my back-up hard drive right after watching the Ransomware one.”
Launching a New Security Awareness Training Program
After the pilot and getting buy-in from her peers (plus the executive team) it was time for Kendra to roll out Curricula to all the employees in her organization for security awareness training. One way to increase adoption of the new training program was to incentivize employees. At one organization, Kendra gave out several hundred ‘Defend Against DeeDee!’ stickers to promote the new content.
Another way she incentivizes participation in the training was to give out tokens for exemplifying the organization’s core values. “The first 15 people to make it through the course got a coin, or the first person to catch DeeDee’s phishing campaign got a coin. It helped to build friendly competition within the group to do their security awareness training.”
Kendra was pleasantly surprised to discover an ‘insane hunger for people to learn more about security.’ She said since the beginning of her conversations with the Curricula team, she loved how people were so creative with the training content.
There are ways to get people excited about the episodes. I actually had people reaching out to me asking, ‘when are you releasing the next video?’ When I’d heard from Curricula that people would do this I thought, ‘uh huh, sure…’ but that really truly happened!
True heroes believe in the power of teamwork, and that’s one main reason for Kendra’s success. Instead of making a decision by herself to buy a certain software, she continues to leverage Curricula’s ability to do a pilot program and ensures she has buy-in from everyone involved in security awareness training.
She demonstrated this need for security education to the higher-ups, which was heavily influenced by the results of the initial phishing simulation. The leadership team was engaged and invested in building a culture of security after discovering how bad a potential phishing problem could be with clicks and business email compromises.
And after getting feedback plus buy-in, she engaged employees in the launch of the new training program by incentivizing them with rewards. “The content was so good, people got excited about it, and our security program was rewarded by building trust between our information security team and our employees,” Kendra said.
Building trust leads to better outcomes, and by making security awareness training fun actually encourages employee engagement so they learn how to better be the first line of defense against a potential cyber attack.