The changing face of DB Cargo UK’s cyber journey

It is interesting the way that the focus around cyber-security can develop. As a Head of IT, cyber-security came onto my radar with a big bang in May 2017 after we fell foul to the WannaCry cyber-attack. It is a day that I will not forget in a hurry and, as a recently appointed Head of IT, I felt ill-prepared to really tackle the impact. We had a great support network on the day, and I found that, with certain key suppliers and some of my internal team, we were able to rapidly defend our landscape. In relation to other sectors, the impact of WannaCry was particularly low for us as a business, thanks in the main part to swift action from our core infrastructure supplier, DB Systel UK.

However, after the incident, taking the time to understand what happened and why, I realised that cyber had to form a much more important part within my new role. Some things are black and white with cyber-security, and the technical elements around cyber certainly fall into that remit. The National Cyber Security Centre (NCSC) were pivotal in my early days of growing my knowledge of cyber and supporting me with the steps to take to ‘shore up our defences’. It is true to say that the contacts I made in the days following WannaCry have become firm contacts and supporters in our ongoing cyber journey. The NCSC quickly provided me with their 10 steps to cyber-security guidance, which in the early days, became my step through guide of how to move our business forward.

The framework gave me a method in which to tackle our cyber compliance systematically and provided the underpinning foundations of our Information Security Management System (ISMS) that we have in place today. The heart of the framework revolved around a Risk Management Regime that we have continued to build on over the last three years.

The technical challenges in our cyber compliance journey were often easier to tackle as they were so black and white. Our corporate guidelines, combined with the NCSC guidance, gave us a clear vision and path to compliance, with tangible steps and actions that needed to be taken. We spent time ensuring that our defences were updated, supported and monitored, and our suppliers were all engaged in our vision for improvements around cyber compliance.

Much harder to tackle than the purely technical challenges of cyber compliance was that of human behaviour and engagement – or what I now call the ‘human face’ of cyber-security. Our IT security culture – how we brought cyber to life and made the whole concept of IT security engaging and fun for our people – became the greatest challenge for me in improving our cyber defences.

Bringing cyber to life

We spent the early part of our cyber journey providing communication about relevant cyber topics – including password management and hygiene, as well as phishing mails and how to spot them – and creating communication plans and polices around basic IT security principles. We got creative with our messaging and even looked for industry benchmarks on how we could improve our campaigns to get our messaging to land better.

However, after running a phishing simulation in late-2018, we recognised that our messages were just not reaching our people and that they were not engaged in our IT security culture. To that end, we engaged our internal communications team and an external communications agency to help us bring cyber to life. I have to say that what ensued is probably one of the things that I am most proud of in my working career.

The team created our ‘Little Monsters’, which we have been running as a campaign for just over a year. We launched the start of our ‘monsters’ campaign with a movie we called ‘The Screening’. We held a movie premier and created some anticipation around our business with screening posters and news drops, with a slogan ‘Coming to a screen near you’. We even dropped movie tickets to all our people (virtually or on their desks). On launch day, we held both a movie premier in our offices, but also did an online premier for our remote workers with a movie pack to get the team to watch the movie but also receive some merchandise.

Every month following our IT security horror movie premiere, we launched one of the new ‘monsters’. We created four in total to tackle the core IT security threats we faced as a business. We made the characters fun and memorable and gave them all a name. When we launched ‘Little Monsters’, we took a gamble to take a topic that, to most, was boring and irrelevant and try to make it memorable, engaging and fun. I wanted a campaign that we could run each month but also use to link to contextual relevant events and things happening in the world of DB. ‘Monsters’ gave us just that. Topics that we could bring to life in engaging ways, competitions to win merchandise, ways to engage our people in simple messaging but with serious content.

Ironically, the thing that engaged people the most were pin badges. We made little pin badges of each monster and rewarded positive IT security behaviours with a badge. They were in high demand and we saw some great examples of good IT hygiene practises in the push to get each badge. We also used a platform that had a cartoon-style cyber training which, again, aligned with the concept of making cyber awareness fun and engaging. The training was very well received by our teams and, because they were short, easy snippet videos, it was easy for our people to complete within their working day.

What comes next?

We will continue to build on our engagement and fun aspect around cyber with our awareness and training application, delivering style and content aligned to the changing threats that we face. We will soon deliver content around remote working and data security in a home environment and will continue to challenge the boundaries of how we can make cyber-security relatable to our internal customers.