Information Security at Herbert Smith Freehills

HSF asked us to develop a campaign out of their existing ‘Security Matters’ platform to promote the role employees play in keeping information safe.

We developed a ‘Cyber Sharp’ campaign aimed at giving people hands-on experience of how to spot threats – and react to them. 

The plan

Staff were invited to in-person training sessions through a series of fortnightly email ‘e-zines’ featuring cautionary tales of what can go wrong when people don’t protect confidential information. A video animation offered an overview of the issues and a glimpse of what Cyber Sharp would offer. Teaser posters also went up to pique interest and draw attention.

For the training sessions, we picked common security topics – phishing, physical security, information management – and developed short, interactive small-group exercises aimed at helping people understand how a situation presents a risk, identify a problematic information security situation and better understanding of how to react. 

Each session wrapped up with a group exercise about social media. In keeping with the aim of experience-led training and going deeper than a simple how-to, an actor (who posed as a facilitator) researched the attendees’ social media profiles before the training. Then, by using simple social engineering techniques, the actors convinced some attendees that the actor knew them. 

A different view

The experiential method of the training sessions enabled us to add more context to the discussion. We were able to explain some of the reasoning behind decisions and processes by relating them to the experiences in the training. We then move the conversation more rapidly to a productive stage – which is valuable given how broad the information security topic can be.