“It can happen to me too”
The emotional impact that can be the turning point for learning
BonelliErede tells how Cyber Guru’s tools managed to break through the wall of disinterest and helped the whole team reach unexpected levels of digital awareness.
You know those big law firms we’ve all seen in American films, the ones that handle big cases dealing with companies, organisations, and financial institutions? The ones where they work in close-knit teams of professionals who bring all their talents to the table to achieve the goal?
Here in Italy, too, these kinds of organisations exist and are a driving force for the entire national system. Above them all stands BonelliErede, Italy’s leading provider of legal and tax services, operating in all areas of commercial and corporate criminal law, where it mainly provides assistance to companies.
The sectors in which it operates are varied: energy, construction, finance, property, art, and sport, to name but a few. A team of around 800 people, of which around 550 are lawyers, who always strive to find the most suitable solution for their clients, whether it is a matter of corporate law, tax law, labour law, competition issues, corporate crises and debt restructuring, international arbitration, and much more.
A very close network, therefore, of relations and exchanges that take place largely via the web and that travel the world, as BonelliErede has offices in Milan, Rome, Genoa, London, Brussels, Dubai, Cairo and Addis Ababa.
We are talking about an important and well-structured organisation from the point of view of computer security, which has always countered attempts at attacks over the years with appropriate protection systems.
But even the best have a weak point, and for BonelliErede this was the difficulty in conveying to the large team of professionals the importance of adequate training of individuals in cybersecurity issues.
Moreover, the subject, as you know, is not an exciting one, and it is difficult to convince people with busy days and major challenges on their minds to devote part of their time to training on a topic that does not directly involve them. Or so they think.
Here to explain how this challenge was overcome is Mauro Baldoni, IT director of BonelliErede.
“The opportunity presented itself with the journey we started in 2017 to obtain ISO/IEC 27001 Certification, an international certificate for Information Security Management System (ISMS). This was obtained in 2019 after a two-year period that compelled us to review all organisational, technological and process measures, as certification requires not only certain active and passive safety systems, but also the development of awareness.
Indeed, we insiders have always known that the weak point in safety lies between the computer monitor and the back of the chair, and that is the human factor. But the problem is how to make it obvious to those who, in life, deal with other things.
As a result, we experimented with different approaches: online teaching, PowerPoint, various types of documents, even short videos produced in-house. Everything failed, however; we could not get the attention of our lawyers in any way”.
TV series for active engagement
“The key was when we realised that by showing an episode of the well-known series Black Mirror, produced by Netflix, in which a typical attack on the CEO took place through the grooming of his teenage son, everyone was glued to the video. The episode appealed to the part of the brain most closely linked to instincts and emotions. There were no concepts to remember or theories to understand intellectually, but rather a well-told story that allowed users to engage in a process of identification with what was being depicted.
In short, they realised that any one of them could have been the victim of that story. This was also amplified by the working methods imposed by the pandemic, which forced many professionals to share their devices with their children, perhaps teenagers, who were attending school classes from home”.
Meeting with Cyber Guru
“We finally worked out how to grab the interest of our target audience and at that same time we discovered Cyber Guru, together with partner Tormalina, and their various training programmes.
More specifically, their videos, based on the TV series model and starring professional actors simulating real, everyday risk situations and showing the right way not to fall into the trap, were certainly for us.
And so we began this new educational adventure.
This new approach, particularly because it is based on a highly engaging narrative, centred on the exposure of real cases of cyberattacks, was greatly appreciated internally and involved the various professional figures and age groups across the board.
What impressed us the most was that there were incidents of phishing attempts that were immediately intercepted, even by older members. Even those in their eighties, which was a result we did not expect”.
Gamification to motivate and reward
“Another training method that has been very successful, particularly among the younger generation, is that of the team game.
Creating competition between the various sectors and departments and awarding a prize to whoever is first able to find a solution to a security problem or whoever finishes a certain training course first is a source of great enthusiasm.
The prize can be a gift voucher or the winner’s name is communicated internally to everyone, who enjoys a small moment of fame and success. This is gratifying and therefore highly motivating”.
Security Awareness, also for partners and consultants
“As a firm, we do not feel vulnerable, we are structured and even at the awareness level we can say that we have made a big leap forward in the last 3-4 years.
The problem is that we cannot only rely on ourselves. When we work on cases there are always many other people involved and not everyone has an adequate level of technological sophistication or preparation. Therefore, somebody who is not a member of the firm may be “hacked” and open the door to the pirate on duty, who can get into the email network by pretending to be one of our lawyers, for example, and in doing so damage our image.
So far, all attempted attacks have been detected and stopped, but the problem cannot be ignored.
That is why we launched a campaign targeting partners, consultants, competitors, to ask all those who work with us to take appropriate security measures”.
