...continued

I presented this idea to my colleagues Gregor and Benjamin at the CEF IT, and we quickly decided that this is very important, and that we need to do it as soon as possible. Initially, the idea was to do a series of in-person training courses at the CEF, but as our schedules change so dynamically, that format was not going to work. This is why we chose to build the sort of “online course”. We used our internal app CEFKO as the tool housing the course, since we already had a way to build an internal training inside the system. So, it was very convenient for us to skip developing something new, but rather use an existing system and focus on the content part. We divided the content into three bigger subjects: email\web security, data loss prevention, and physical security—an aspect often overlooked. Each of us took one subject to divide the workload. We decided that the most appropriate format would be to record short and interesting videos on these subjects.

Several of them explain the most important aspects of the subject. We believe that employees often prefer watching shorter 5–10-minute videos, rather than reading lengthy texts. After every series of videos, and for every section, we prepared the final exam, a sort of online test, with smartly crafted questions, so that we could really see that employees were watching and learning properly.

Each test generated a final score, which we logged into our back system for later analysis. Our intention was not to introduce competition, but rather to realistically identify potentially weaker links, who’d need more knowledge and more of our attention to educate them better, and maybe clear up their lack of understanding of certain subjects. Additionally, the tests helped us determine the level of knowledge among our employees, and make a realistic assessment of their strengths and weaknesses. Furthermore, we envisioned analyzing the results to build several groups based on employee skill levels, and then making a more personalized approach for their training, based on the specific needs identified for their work, exposure, and level of knowledge.

Every employee passed the course, and the feedback we received was very positive. We were happy to see that our staff were eager to learn new things, and that they generally consider cybersecurity important, not just some necessary evil. The results were also surprisingly good.

What lies ahead? Since then, several employees have asked me, “Now what? What will happen next?” We maintain a bit of secrecy around our plans. Why? Because unpredictability is our ally. We avoid revealing too much—after all, our methods thrive on catching victims off guard. Yes, you could say we’re a tad mischievous.

Our collection of data pinpoints the vulnerabilities that we must expose. Armed with this knowledge, we will guide our employees, helping them better prepare for threats in future. And here’s a glimpse into our future: unpredictable testing. We slip into the role of attackers, testing our own team, as if the stakes were real.

So, stay vigilant, my friends. The unknown awaits, and we’re ready to dance with it.