Dumarey, the automotive excellence group
After just one year with Cyber Guru, cyber risk is much lower
The Dumarey Group was formed, under this name, about a year ago but its history is much older. It was born behind the drive of Guido Dumarey, founder and current president, who made his first acquisition in 1983: a small Belgian company specializing in metal punching. Until a year ago known as Punch, the group has established itself in the market as an independent supplier for the development, integration and production of high-performance propulsion systems, starting with transmissions and engines. The Group employs more than 3,000 people in 6 locations in Europe and Asia, with annual sales of about 1 billion euros.
Organized into different business units, the Group collaborates and shares its know-how to meet various customer needs and demands, from powertrains to transmissions and integrated software.
Given the amount of information it handles, the high number of employees and the high technological profile, the company has chosen to have a special focus on information security.
Speaking to us about this is Paolo Carlo Pomi, the company’s Ciso for about a year now, who, in addition to focusing on technology has bet on employee training, partly because industry certifications require the company to engage in staff training and awareness on cyber security issues.
“I believe that in order to be more resistant to social engineering attacks,” Pomi says, “continuous training is necessary. In my field, the effectiveness of the face-to-face course, done once a year, may solve the compliance problem, but it is not effective enough to manage risk. On this issue, communication often comes across as boring and uninvolving. To protect the company from growing cyber risk, technology must be coupled with a training solution that is quick and easy to deploy and measurably effective, which in is able to lower the risk in a short time, turning employees into the first line of defense against cyber attacks.”
According to Pomi, the strength of a training plan like Cyber Guru’s lies primarily in the continuity of the message. “An ongoing program with training and simulation sections and testing resilience in the face of social engineering attacks. It’s not just phishing, but it’s another line of defense, in addition to technology, that turns every employee into a vigilant guardian of the company’s boundaries.”
In addition, today we are all connected, and often the two worlds, the professional and work world and the personal world, overlap and become confused.
“This, in fact, is another major risk factor that can no longer be ignored,” says Pomi. “No matter how hard we try to keep the two separate, even using enterprise devices, the social engineering attack plays heavily on this interpenetration. Thus, since you cannot control employees’ personal devices, the only way to lower the risk is to raise their awareness and attention.”
With Cyber Guru “Many report and few click”
The Cyber Guru training program has been adopted by the Dumarey Group for about a year now, first in the Turin office and recently in the other offices for only those staff who have a corporate email.
“In the long term, my goal,” says Pomi, “is to extend this type of training to people who do not have a corporate email available. In fact, it’s a useful type of training for the personal sphere as well, and regardless of the context in which you operate.”
According to Pomi, one year after adopting the training program, the first important feedback is already being seen. “There has certainly been an increase in awareness and a lowering of the risk level. Many are reporting and few are clicking. An incident that confirms this new trend is one from a few days ago, an employee told me that to make a reservation at a restaurant he was asked for his credit card information. However, the page where he was supposed to enter them was strange and lacking in certification, and so the reservation was not made. This is a confirmation of how a training course such as Cyber Guru’s is capable of raising the threshold of attention to recognize a potential scam. This was not an insider, but a salesperson. So the message, explained in a concrete, practical, and understandable way, reaches everyone, regardless of the tasks employees perform. After one year, the level of awareness is much higher than before. In addition, this ensures the company is successful in the visits of the auditors of the various certifications who ask for an account of the awareness part and the training part.”
Certainly, the one proposed by Cyber Guru is a newly designed training model and one that deviates quite a bit from traditional training.
“The point is,” Pomi concludes, “that the average user does not want to hear theory for insiders but wants to know, for example, what are concretely the five most important things they should not do to avoid falling into an IT trap.
Continuous training is necessary, because the attention muscle must be kept trained as well.
After all, it can happen to anyone to unintentionally initiate an attack, all it takes is a moment of distraction to do serious damage, considering that the use of artificial intelligence makes attack techniques increasingly cunning and refined.
Cyber Guru’s model is a winner because it has precisely this kind of approach and takes into account the fact that the target of criminals is now predominantly human and technology alone is not a sufficient barrier.”
