Solution
The client first needed a clear concept to rally around and a solid culture change strategy. We arrived at « Care, Protect, Alert », a clear, powerful and versatile security mindset that sticks and translates into all work situations.
Yet, the true efficacy of a culture is determined by the depth of its adoption. Therefore, we devised an awareness and behavior change plan, along with resources to encourage everyone to understand, act and advocate for security. Collaborating across entities, we provided the necessary tools to implement the change plan, resulting in a unified experience around the globe.
We started with a period of extensive research and consultation, interviewing international stakeholders to understand when and why employees are taking risks from an information security perspective. It was the beginning of a closely collaborative process with the entities.
We developed a comprehensive set of culture change tools created with a unique team composed of changemakers, certified security experts, neuroscientists, digital learning specialists, creatives and filmmakers:
-
- An anti-phishing learning journey, resulting in the company sending over 1 million phishing emails to its employees annually to assess their ability to detect fraudulent activities; this is complemented by concise e-learning modules for individuals who happen to click on the malicious links.
-
- A security certification training curriculum for all employees, tailored to specific populations, that ultimately achieved the highest participation score within the Group and garnered several international awards.
-
- Communication materials comprising articles, cartoons, on-site and online games, events, conferences, infographics, and films. One particular film campaign received the prestigious honor of ‘Best Internal Communication Campaign of the Year’ at the international Cannes Corporate Film Festival.
As AI became part of the security landscape, the program evolved to address a new layer of behaviors: recognizing AI-generated manipulation, understanding deepfake risks, protecting confidential information when using AI tools, and knowing when to question, verify or escalate a suspicious request. The aim remained the same: translate complex security issues into simple, memorable and actionable reflexes for every employee.
This multiyear effort leaded to position the security team as internal best practice in the field of culture change and the company itself as a leading benchmark amongst their peers in the field of security awareness maturity. And of course, this effort highly contributes to keep security level high.
In parallel with the actions carried out at the Group level, we were asked to take on a more operational role in the strategy deployed at the BU level, particularly within AXA IM, where we have embodied the role of Cybersecurity Awareness Lead for several years:
-
- Development of the annual communication plan
- Coordination of all 360-degree communication actions: conferences, serious games, workshops, motion design videos, Konbini-style videos, “day-in-the-life” interviews, Cyber Coffee Breaks, branding, events at the Cyber Campus, escape rooms, etc.
- Organization of the flagship annual event “Security Month”
- Community management.
