CASE STUDIES

TEA Group: why investing in Security Awareness has become strategic

Overview

Founded in 1998 from the transformation of the Municipal Services Company of Mantua, TEA Group—Territory, Energy, Environment—is the leading multi-utility company in the Mantua area. With 650 employees and €491 million in revenue, it provides essential services to 57 municipalities: energy, gas, water cycle, waste management, district heating, and much more. An indispensable point of reference for local communities.

The challenge

The increasing digitalization of internal processes has made cybersecurity a cross-cutting priority for the entire Group. Information systems that are increasingly central to service management have brought new risks, not only technological but also related to the daily behavior of the people who use them. The NIS2 Directive has also required a thorough revision of procedures, guidelines, and approach to security.

The solution

TEA Group chose and adopted the Cyber Guru platform, identified with the support of partner Eurosystem, for its simple language and approach based on everyday examples. The result exceeded expectations: rapid adoption, high participation, measurable reduction in adverse events related to human interaction, and spontaneous healthy competition among colleagues on course scores.

TEA Group has transformed cybersecurity training into a daily routine

TEA Group manages essential services for the Mantua area. This very centrality in citizens’ daily lives makes information system security a responsibility that goes well beyond regulatory compliance. “The security issue is pervasive across all our services,” explains Christian Bassi, Security and Cyber Defense Manager at TEA SpA. “We needed to address it not only from a technological standpoint but also from the perspective of awareness among those who use these tools every day.”

The Group had already worked intensively on revising internal procedures and guidelines. However, a fundamental piece was missing: training people, not just technicians. “We carried out various regulatory and technological activities, but the awareness aspect for those who actually use the systems was missing,” adds Bassi.

The search for the right solution took place with the support of Eurosystem, the Group’s technology partner. “When we saw Cyber Guru, we immediately realized it was the right platform for our needs,” says Bassi. “It wasn’t a pure technical training platform with difficult terms to understand, but used simpler language and provided everyday examples and information that proved very useful in our colleagues’ daily lives.”

An aspect that made a difference even for those without a technical background. “I thought it would be the usual mandatory training, hours and hours of classroom courses,” says Monica Cerosola, Regulation and Regulatory Support Office. “Instead, these short monthly lessons made it possible to tackle them effortlessly.”

“I realized that after this training I’m much more aware of all the activities I do, not just work-related ones,” continues Incoronata Tortora, Legal Affairs Office at TEA.

Rapid adoption and concrete results

Integration of the platform with existing tools was a priority from the start. “Our need was for it to be natural to move from one tool to another, otherwise we risked people postponing the training moment,” explains Bassi.

The feedback from colleagues exceeded expectations. “The response was remarkable,” says Bassi. “Several colleagues felt compelled to share their experience using the tool. And something that made us smile was the healthy competition mechanism that developed among people: at the end of each course, questions are proposed that generate a score, and they started comparing who achieved the highest score.”

Since TEA Group adopted the platform, a measurable reduction in certain types of adverse events related to internet exposure has been observed. “The most exploited attack vector is human interaction,” emphasizes Bassi. “You can’t lock down an architecture: there must be a fluid approach to security.”

For the future, the Group aims to extend training to governing bodies, in line with the requirements of the NIS2 Directive. “We believe Cyber Guru can be successful precisely because it can be accessed at times chosen by the user, not at fixed times during the day. It becomes extremely convenient to give people the freedom to decide when the right time is for training.”