For a stronger safety culture at GEMAC
GEMAC receives eLearning Award in the Cyber Security category
As digitalization progresses, cybercrime is also on the rise. This makes it all the more important for companies to regularly raise awareness among their employees in order to minimize the attack surface for cyber attacks. GEMAC uses monthly microlearning sessions in conjunction with simulation-based phishing emails from CyberXperts to train employees in their day-to-day work in order to ensure a practical learning process and an enhanced security culture.
The increasing threat of cybercrime poses a significant danger to private individuals and companies. In particular, employees themselves are the greatest vulnerability. This risk is particularly prevalent in phishing attacks, which are disguised as deceptively genuine-looking emails and trick users into downloading malicious files or disclosing sensitive data. The resulting damage caused by cyber-attacks will amount to EUR 148.2 billion in Germany in 2023 (source: Bitkom, Wirtschaftssschutz 2023, bitkom.org/sites/main/files/2023-09/Bitkom-Charts-Wirtschaftsschutz-Cybercrime.pdf). It is, therefore, a top priority, especially for large companies, to contain this threat by providing regular and comprehensive training for employees.
Learning needs
Against this backdrop, GEMAC Chemnitz GmbH also recognized the need to raise IT security awareness within the workforce. To this end, a two-year collaboration with the solution provider CyberXperts powered by skillsforwork was launched in October 2022. The aim of this collaboration was to establish an enhanced security culture at GEMAC and thus reduce the risk of cyberattacks to a minimum.
To meet these needs, basic IT security skills were to be taught to the entire workforce. They should also learn to recognize various methods and techniques IT criminals use to detect and ward off potential cyber attacks at an early stage. At the same time, the opening rate of potentially dangerous emails should be tracked and ensured that this remains at a low level. To address these learning needs as effectively as possible, the planned eLearning should be divided into two modules: While the theoretical learning content should be delivered in the form of interactive microlearning, this should be supported by simulative phishing emails in everyday working life to test the knowledge to ensure effective transfer into practice.
Monthly microlearnings ensure sustainable learning transfer - in addition to monthly simulated "phishing" emails, learners receive a new microlearning by email every four weeks, which they can easily integrate into their daily work routine.
Project process
The start of the project coincided with the beginning of the collaboration between CyberXperts and GEMAC and was heralded by a joint kick-off meeting.
Based on these agreements, it was then possible to start with the actual implementation of the awareness campaign. The eLearning measure was to be launched with an initial phishing simulation to sensitize the workforce to the topic and draw attention to it. For this purpose, a "warm-up" to raise awareness was started three weeks before the first simulated phishing email was scheduled to be sent. This served to inform all IT employees, the management and the helpdesk about the upcoming measure. This step was deliberately carried out three weeks in advance to ensure that the first tracking after the first phishing email provided a realistic status quo of operational cyber security awareness.
After a test run in the form of allowlisting two weeks before the start, the first simulated phishing email was sent to employees on the agreed date. The click rates were evaluated one week later.
The monthly eLearning units were then activated two weeks later by email, allowing employees to access the CyberXperts learning platform and register. From this point onwards, a simulated phishing email and monthly microlearning courses were activated on a staggered basis each month. The microlearning courses were based on the latest teaching science findings, which were developed by teaching scientists and experts.
The project managers conduct a review every six months. The results and topics of the microlearning are discussed with the click rates of the phishing emails to learn more about the usage behavior of the workforce and to adapt the upcoming eLearnings better accordingly.
Project result
Employees receive a monthly invitation to the microlearning sessions by email, which directs them to the CyberXperts Academy platform. These take no longer than 7-12 minutes of learning time and are very easy to integrate into everyday working life. As a mandatory learning unit, employees have four weeks to complete it, whereby successful completion is a prerequisite for access to the following learning units. The microlearning courses cover a wide range of topics relating to cyber security, from errors in the home office and secure passwords to data protection breaches and AI attacks. The short courses use various methods such as gamified quizzes, animated videos, expert clips and other interactive learning tasks to create a lively and varied learning environment. In addition to practically teaching the content, the main focus is on the fun factor, which is intended to promote a sustainable and positive learning experience.
In addition to the monthly thematic microlearnings, the second practice-oriented component of the training consists of phishing simulations, which are also published every month. The emails are not dangerous and are only used for training purposes on a realistic basis. When the employees open the supposedly dangerous email, they are taken to the stored situational learning page, which explains their incorrect behavior. Practical exercises make it easier for employees to recognize phishing attacks and react appropriately in emergencies. With the help of tracking, the project managers also get a lucid impression of how confident the workforce is, especially when dealing with phishing emails.
So far, the new eLearning measure on the subject of cyber security has been a complete success: this is evident from the high participation rate in the monthly Mircolearnings on the one hand and the falling click rates for the simulated phishing emails on the other, which suggests a high level of learning transfer.
Summary
The concept of monthly microlearning sessions in conjunction with simulated phishing emails is a significant contribution at GEMAC to making and enhancing the security culture and making it more visible. The realistic attack simulations optimally prepare employees for emergencies in everyday life, enabling them to identify attacks better and react appropriately. Thanks to the regularity of the learning units, cyber security remains a present issue within the workforce and thus contributes to a safer working environment. The simulations make the subject approachable and tangible, simulate the actual danger and thus ensure a maximum learning effect, which can take place in a tightly scheduled working day. For this innovative and practical approach, the jury decided to award the joint project by CyberXperts and GEMAC the eLearning AWARD 2024 in the "Cyber Security" category. Congratulations!
Specifications and special features
Specifications:
To increase awareness of cyber security issues among GEMAC staff, GEMAC and CyberXperts worked together to implement a two-part, practical eTraining course that could be easily integrated into everyday working life. This consists of monthly microlearning units and deceptively realistic simulated phishing emails, which ensure a high level of practical transfer.
Special features:
The monthly "phishing" emails that CyberXperts sends to employees look like authentic cyber attacks. In reality, however, it is a simulation that leads to a corresponding learning page with warnings. Tracking makes it possible to anonymously observe where employees still need to learn about cyber security.
Project managers
GEMAC Chemnitz GmbH
GEMAC Chemnitz GmbH
Zwickauer Straße 227
D-09116 Chemnitz
skillsforwork | CyberXperts
CyberXperts powered by skillsforwork – ein Unternehmensbereich der VNR Verlag für die Deutsche Wirtschaft AG
Theodor-Heuss-Straße 2-4
D-53177 Bonn
