Friday, 26 August 2016

Compliance Training So Good, It’s Almost Criminal

Ask anyone in big business and they'll tell you: Compliance is serious.

But ask anyone why it's serious or where many folks may be most vulnerable or what to do when they find themselves in a bit of a pinch and you're likely to find a blank expression. They look like they've been asked to read a 12,000 page volume of US or European ethics legislation. Which, unfortunately, they have.

For apparently the philosophy behind our current complaince training is "throw this at them and see what sticks." At best, current methods are behind those of, say, information security training by 2-3 years.

But don't panic! We're here to save the day. If we haven't met yet, hello, we're Twist & Shout Communications, a modest little outfit in Leicester. We are the self-anointed Uncertified Sort of Trained Semi-Professional awareness exports who use a little known device called "humour" to help people learn important things. First, it was information security, but lately we've focused on the aforementioned "ethics."

So let's say you're a "decision maker," probably in the Legal or HR department, and you believe your organization should have a keen awareness of compliance issues. You know they're good people. They know right from wrong. But you've also seen some of them fly through parking lot stop signs and they've sailed by you on the road, while you were also exceeding the speed limit. In late 20th century technical terminology, "Though they were kind, seldom did they rewind."

But perhaps you've also tortured your team with a few Certified Trained Professional Instructors. And you've invested in more than your fair share of never-fail programs -- maybe some even endorsed by celebrities!

This is where we come in. Or, more accurately, where Bernie comes in. Or would come in were he not incarcerated.

"Tuesdays With Bernie" is our breakout approach to bribery and corruption awareness training. Using viral marketing techniques, high quality production and set in today's modern workplace, "Tuesdays With Bernie" is more than a training program, it's a comprehensive, contemporary and conversation-starting show, that's just as entertaining as it is educational.

The show stars Simon, a hard working lad who only wants to do what's best for the company. And what's best, in the eyes of management, is that Simon visits Bernie every Tuesday. In jail. Bernie was a big time trader who did not play nice with the rules and so finds himself in a conference call for the next 3 to 5 years.

Through their conversations, Simon gets to learn the ins and outs of compliance from the most trusted source around: A criminal.

When even the risk of jail time doesn’t motivate people to do the right thing, there’s a big job to be done. And "Tuesdays With Bernie" is just the program to do it. Covering topics as wide-ranging as government corruption, bribery and gifts, bad actors, and spoofing the market, the information we cover sticks, the same way you remember snorting coffee from your nose when Martin in Accounts breaks out his Prince impression.

Sure, compliance is serious business. But that doesn't mean we can't have a little fun learning about it.

Wednesday, 10 August 2016

Smooth Sailing in the Dragon’s Den

On a beautiful morning on the Thames, aboard the HQS Wellington, our very own Jim Shields participated in an ISSA-sponsored, Dragon’s Den-style program to tout the benefits of Twist & Shout, “Restricted Intelligence,” and the challenges of information security training, without hearing the words everyone entering the Dragon’s Den fears most: “I’m out.”

It’s an event organized every year by the ISSA. Speakers are given 10 minutes to sell the judges on a big idea, with keynote speakers included throughout the day.

Jim felt confident. Armed with a solid presentation (including key video pieces) Jim felt assured of a positive outcome, even in the face of the challenges one would expect presenting on a big boat (sea sickness, capsizing, being swallowed by a whale, etc.).

Hushed with anticipation, Jim started with the sad facts surrounding information security training. In spite of increased malware and cyber attacks, traditional training methods aren’t working. Management wants visceral responses to know their employees are engaged. In order for this to work, you need to get everyone’s attention and you need relevance and appeal.

Unfortunately, when it comes to infosec, what’s relevant is not all that appealing. Further, awareness is not the same as engagement. For example, we know speeding is a crime. However, when we’re late for a meeting and there’s no one around…

We could sense from Jim’s recording everyone in the room was on the edge of their seats, literally dying to know what the solution could be.

Jim replied with a key question: So how do we get their attention? Which lead to another key question: What else gets their attention? Meaning, what are people passionate about?

For one, people are passionate about things like “Breaking Bad.” Call lines were set up to help people cope with the end to this ground breaking show. Listening to the audio, we could tell the audience was nodding, maybe even weeping. “Breaking Bad” was amazing.

Then, Jim said, “Everything I know about thermonuclear dynamics, I learned from ‘The Big Bang Theory.’”

You learn when you’re laughing because the information becomes memorable.

And bigger than these shows is the marketing surrounding it.

The solution for informing employees and getting them engaged with compliance is to create a show like “Breaking Bad” or “Big Bang Theory.” To create characters and situations viewers can relate to. To provide materials both management and employees can use to keep the conversation going long after the credits roll. And to have a few laughs.

To keep the show, now in its fourth season, relevant, “Restricted Intelligence” addresses possible threats like third-party suppliers, over-sharing on social media, physical access, phishing, whaling, ransomware, and public Wi-Fi.

The results? 25 episodes over four seasons, 150 campaigns, 35 languages, 4 million employees engaged, a major international award, and a new series, “Tuesdays with Bernie,” a light-hearted look at compliance issues surrounding bribery and corruption.

Why does it work? It’s a formula that makes information security issues relevant to employees. There are always personal consequences at the end of each episode. Protecting Generic Corporate Data can be very abstract for employees, who are left asking “What does that actually mean?” “Why do I care?” Whereas if you make the issues and the consequences personal, they’re more likely to change their behavior.

This creates a fan base of engaged employees who know the show, know the characters. Which in turn trains employees to behave like, say, the Mentalist. They notice more, they’re more aware. They become a network of sensors, reporting little things that they spot and behaviors they see. Ultimately, it’s very hard to be a “bad actor” (excuse the pun) in the middle of this culture. It’s very hard to get away with anything when you’re surrounded with concerned, engaged employees.

Needless to say, after we accidentally turned up the volume on our speakers, the audience erupted into a frenzy of accolades and applause. It was deafening. Did Jim win the Dragon’s Den? Unfortunately, the recording ended before we could find out. But we didn’t care.

We were engaged.

Thursday, 7 July 2016

One small step for Restricted Intelligence…

…One giant leap for entertainment-based awareness training.  

If I am running around the office like a 12-year-old on Red Bull, it’s because we are less than a week a way from our appearance at the UK’s National Space Centre, right here in our hometown of Leicester.  The East Midlands Chamber of Commerce is holding a cybersecurity conference and exhibition in the amazing surroundings of the rocket tower and the planetarium. We can hardly contain our excitement!  

We’ll be presenting some of our work in the 3600 HD planetarium, and I shall be speaking at 2.25pm on the best way to engage employees in a security culture, if you don’t own an actual rocket ship.  Jess & Katie will be on hand to show you new episodes of Season 4 in case you haven’t seen them yet. This is probably going to be the highlight of our year. Speaking as a 12 year old boy, that is.     

Wednesday, 6 July 2016

Looking Forwards and Back: A Peek at Series 4 of “Restricted Intelligence”

On June 7, we launched series 4 of "Restricted Intelligence". Since four seasons is an impressive achievement for any production - especially one only available online and via subscription - we decided to throw ourselves a little launch party. For better or worse (better at the time, worse the next morning), things got a little rowdy. So please pardon us if we whisper through this breakdown of the new series with our hands grasping our heads. We -- and our fans -- make the most of the rare opportunities we’re allowed to socialize. But series 4 is well worth celebrating and here’s why. Series 4 finds the “RI” team tackling some new territory. In particular, ransomware and a few of its many dreadful varieties. In one episode, we find Lionel has been hit with “individual ransomware.” We won’t spoil the episode, but we will say Lionel reacts in a way a lot of people might with the simple exception that we can laugh at Lionel here.

In this episode, hackers don’t just take control of the network, they leave ransomware in their wake. Unfortunately, just like in real life, hackers target organizations like hospitals who will pay the ransom because it’s urgent. So instead of investigating or finding ways of circumventing the attack, the quickest thing they can do is just to pay the ransom. And the hackers, of course, know this. If they pitch the ransom at a certain price, the hospitals just pay it. Viewers get to learn new ways to avoid such the drama of these attacks without being the victim. But it’s our pleasure. We don’t mind taking one for the team.

This is also the first season where a member of our American cast appears in the UK. Ian gets to enjoy standing out like an American (no offense to our American friends) while he develops a sweet geek romance with one of the app developers. Love is in the air, like the fake Wi-Fi networks Ian’s episode addresses.

Speaking of characters, series 4 sees the return of Ellie from series 1, when she was the only person who knew how social media worked. Ellie has put that social media expertise to good use and has become the VP of Social Media. She’s also developed a superpower that allows her to know who you are, what you’re thinking -- even who you voted for. I guess we have Facebook to thank for that.

We’ll stop before we give away too much, but know we’re already thinking about series 5. Our community always does a great job of supplying us with new areas of interest as soon as they come to mind. For example, we’ve had requests for an episode based on a call center in India. And seeing as though we’ve never been to India, maybe we’ll go.

You know, for research.

Wednesday, 15 June 2016

And the winner for best user awareness campaign is...

I have been to over 10 events this year alone - from Infosec, to smaller regional meetings of other information security related professional “bodies”. The names might change (although there’s the inevitable overlap of familiar faces) but the one issue that comes up again and again, in presentations, in conversations and online, is the PEOPLE issue. It’s always a top bullet point no matter how lofty or technically explicit the presentation might be. People are the way in, the weakness, the unreliable, unpredictable factor that renders the most sophisticated technical protection useless.

And yet - the recent SC awards haven’t even got a category that comes close to serving this burgeoning sub-industry. It defies logic.

The investment in experts in behavioural change (for which I shall use the euphemism “Marketers”, for that is what they are) is a tiny fraction of the total expenditure on security measures. It’s the fat ginger kid in a schoolyard of alpha males. There’s training - but this is simply a repackaging of facts designed to tick a compliance box, as we all know. Even those who claim to “engage” users are often just bolting on cartoons to an otherwise patronising or overly simple message.

To get true engagement, take note of at what people like to do / watch / eat / experience and just do that. Ask yourself, “what would get my attention? What would make ME see sense?"

Until the institutions take awareness as seriously as they take Data Loss Prevention Solutions (or whatever), we will always be standing at the peripheral of the cool kids group. Because we don’t have a box, or a policy, or any “software as a service”. We just have personality, and communications skills. Something that will engage those who are creating the weaknesses.

Next time you notice this kind of absence (in the trade press, or the awards circuit) - ask why.

It just might start a change.
Jim Shields

Tuesday, 7 June 2016

Your Attention, Please

It’s 9:00 am on a Monday morning. There are about a million other places you’d rather being than a training session, but here you are. The Training Program Specialist gets up, fumbles with his laptop, searches desperately on the cluttered desktop for the PowerPoint, finds it double clicks and… Still loading. Lots of images. Hold on. Almost… There it is!

A title slide, five different fonts (just to make sure you notice), some swooshy graphics in the background (you see this, right?), and a clipart drawing you’ve seen in a million other places of a successful team moving forward into a paradigm of a new tomorrow.

Some opening remarks, the agenda, and then you’re into the meat of the session. Yes, the Training Program Specialist speaks in a monotone. Yes, you might have laughed at his opening joke if you could hear him, but you’re finally going. Things seem to be moving along and he’s covered a number of slides and you’re positive the session is half over until you check your watch and-- FOUR MINUTES!?!?!?!?!

A quick calculation reveals that, at this rate, the entire training program will take 10,000 years to complete. Give or take. Albert Einstein once said when you’re sitting on an open flame a minute feels like an hour and when you’re talking to someone you’re attracted to an hour feels like a minute. That’s relativity.

So, going back to our training session, how would you change things so you no longer feel like you’re sitting on an open flame, but talking to that special someone instead?

This is the question we ask ourselves (though phrased a little differently) whenever we begin a new program or draft a new episode or even write a new scene. What about this is going to win our audience’s attention, defeating such temptations as watches, daydreams, phones, or opportunities to doodle?

Our work has captured the attentions (and the hearts and the souls) of audiences around the world. But not simply because we present our work in a sitcom format. The fact that our audiences are watching a “sitcom” is just a novelty and novelties always wear off quickly. Just ask anyone who owns one of those barking dog Christmas albums.

In order to capture your audience’s attention, we rely on three key ingredients:
  1. Familiar people 
  2. Familiar environment 
  3. Something in return for the audience’s time
Let’s break these down a little further, shall we?

We’ve learned audiences will focus on a show when they recognize the characters involved. They know the “by the book” accountant, the over-zealous sales rep, the timid intern (who also seems to have the best ideas). And they want to see what happens to these recognizable characters as they tackle the challenges in a familiar environment.

The familiar environment means more than seeing, say, a cubicle that looks exactly the one they’re working in. It’s also the situation. The 11th hour fight to submit a proposal on time, the unexpected visit from a client, the training session that never ends. Finally, we give the viewer something in exchange for viewing. But instead of, say, a keychain or pat on the back, we like to give a nugget of wisdom, teaching them to fish rather than giving them a fish.

This is the thing that brings all of the pieces together, so when they’ve finished watching an episode, they think “Now I know when I’m working with that colleague, in that situation, I can avoid that problem by using this shiny new nugget of wisdom.”

Yes, there will always be situations where something will beat our best efforts for the audience’s attention. But we know we’ve got a much better chance of earning their attention (and they have a much better chance of actually learning something) if we give them familiar characters, familiar situations, and something they can use.

Now, turn off your phone or close your laptop and turn your attention back to the training program. You only have several thousands years left.

Monday, 6 June 2016

Seize (Parental) Control!

A recent article in SC Magazine reported UK adults are clueless when it comes to finding advice about how to protect themselves online. Clueless.
Over two thirds (67 percent) of respondents say that they are fairly concerned about the risks of identity fraud when using online services, and 21 percent are very concerned. Only a third (33 percent) were able to identify Cifas' purpose as an organisation. Less than a quarter of men (19 percent) and women (23 percent) said they stopped using an online service due to the concern of their data possibly being at risk of identity fraud.
There are other equally alarming statistics, which you can find here.

And if the adults don’t know how to protect themselves, how can they possibly be expected to protect the kids?

Which is why, starting in June, Restricted Intelligence will premier the Parental Control films* (working title!), a series of videos to encourage parents to take more of an interest in what their kids are doing online and teach them simple ways to make safe online platforms for kids.

Oh. Did we mention they're free?

Over the course of three episodes, we’ll take the proven formula used in “Restricted Intelligence” (along with a few of the show’s actors) to create a show viewers will find entertaining, educational, and share-able.

And if that weren’t enough, the shows two main stars deliver unparalleled performances, according to our Creative Director, who through sheer coincidence happens to be their dad.

Stay tuned. The Parental Control films will be available here beginning in early June.