CASE STUDIES
Hera Group,
Cybersecurity
starts with training
Overview
With headquarters in Bologna, the Hera Group is one of the leading multi-utility companies in Italy, operating in 265 municipalities. It provides energy (gas, electricity), water (waterworks, sewerage and purification) and environmental (waste collection and disposal) services to about 4 million citizens. A company with more than 9,000 employees and which, like any company, every day has to face the challenges of cybersecurity.
The challenge
In order to take into account the evolution of the external context and prevent possible critical situations, Hera decided to strengthen its control of cybersecurity issues by setting up the “Information and Cyber Security Management” structure in 2020, dedicated to IT and OT security, with more challenging objectives not only in terms of training, but
also to create a broader corporate culture on the subject.
The solution
After conducting a thorough scouting phase, the Group decided to rely on Cyber Guru’s approach to make the sought-after quantum leap. In particular, the choice was the Cyber Guru Awareness solutions, e-learning with micro-lessons on threats and the right behaviour to avoid them, and Cyber Guru Phishing, an artificial intelligence-based anti-phishing training solution.
The multi-utility uses Cyber Guru solutions to create awareness and improve internal user defences.
Crucial to the topic of training and therefore digital awareness was the involvement of the Central Personnel and Organisation Department. Giorgia Silvi, Organisation and Training Representative for the Innovation Department of the Hera Group, explains in this regard that “Cyber Guru, through a platform accessible directly from our e-learning portal MyAcademy, immediately proved to be fully compatible with the digital evolution path started in 2017 with the HER@futura project, which provides for a structured and continuous change management plan to guide all colleagues in the digital transformation path of our company”.
The Cyber Guru Awareness project is on a voluntary basis,
with a steadily growing membership for an activity that conveys content that is immediately stimulating and effective, yet simple in language and with relevance to the daily life
of every employee, proposes practical cases of
attacks that can also occur in everyone’s
private sphere. “We saw great enthusiasm from
the workers, with direct feedback on the quality and usefulness of the
contents. They appreciated the ease of use
and the appropriate duration, as well as the application of what they learnt also
in their private lives,” says Silvi, adding that the project – which has had the support of top management from the outset with dedicated videos by Stefano Venier, Hera’s CEO – also envisages leveraging internal communication to stimulate participation not only in the micro-learning content, but also in the gamification initiatives that can be designed on the platform.
Recognising email fraud
“With the new platform, the approach has been radically changed to introduce real user training with achievable improvement goals through effective self-adaptive technology. I am referring to sending a monthly phishing simulation email built on the basis of ten different templates with varying degrees of difficulty. Artificial intelligence decides what kind of emails to send, when and to which users, bearing in mind the level reached by each recipient, which is calculated on the basis of their behaviour with previously received ‘ethical’ messages.
A marked increase in performance was observed compared to the old method: already ‘strong’ users are able to enhance their capabilities through increasingly challenging emails, while initially ‘weaker’ users are able to gradually improve through simpler campaigns dedicated to them. The data aggregation also makes it possible to track the progress of activities and to introduce the necessary corrections while guaranteeing the anonymity of the personnel involved. At the same time, we have noticed an increase in direct reporting on our dedicated channel, a clear indication that the community feels strongly involved and decides to contribute when they feel they have received a fraudulent message,” says Caterina Corbo, Head of Planning and Monitoring.
To read the full interview prepared by Office Automation click here.