What is our primary use case?
NatWest is one of the major retail banks in the UK. NatWest operates across the globe in different locations, but most of its efforts are within the UK. Once a month, we use their BLAST tool to deploy phishing simulations to our entire workforce, which is about 74,000 people.
So we use the tool to provide us with continual training on phishing as its and ever present threat.
How has it helped my organization?
Interestingly, the way that the bank used to do it before was an email every quarter. However, by moving to this more continuous learning where they have an email every month, we have had a number of people recognize that it has happened because we have been quite transparent about the change within the bank. Because of the way that the emails are written, the way that it is done, and we have been quite transparent about it, we feel that this has been quite helpful for them. They are getting something from it as well as learning from it. Instead of it being this one-off four times a year, we are having this done on a more regular basis. So, they feel more practiced with increased recognition. Externally, we have had a number of positive pieces of feedback because of it as well.
Realistically, it's keeping the phishing in mind. It moves away from a slightly more draconian, negative feel of being told off. This is because of the way that CybeReady does it. Their way is more beneficial and about that positive engagement. It isn't about telling people off or determining their behavior to be wrong. It's about allowing them to build capabilities and learn coping mechanisms. They go on to additional training, if they do click, but that additional training is actually positive, engaging, and quite open in its language. This allows people to engage differently.
Overall, it broadens the way people engage with security across the board because they are used to being told off and that they are not doing the right sort of things. Whereas, CybeReady really helped move that conversation forward into a positive lens, allowing people to see how they can take part and their role within security. Also, that it's okay, because this is training, a learning point, how you can continue, how you can cope, and how you move forward. This really helps build people's confidence in recognizing phishing, understanding what it is, and how to cope with it, all of which are important.
Getting people to move from the idea that they only need to do phishing training every quarter to that continuous learning is quite a shift because they were doing that for about five years. It was very much something that they were used to. Therefore, moving to this different way did take some conversations with CybeReady about the best way to approach it. We did not want to have a "throw the baby out with the bathwater" sort of approach of just making it really difficult, hard, or that everyone would obviously click. It was being a bit more pragmatic about having a range of emails, which CybeReady does really well. Some of them do seem straightforward to people, but others are definitely not. All of them will still get kicked on through, because ease is really hard to determine for other people. The fact that CybeReady takes that into consideration when sending out their emails allows people not to feel blamed. It is something now that is part and parcel of everything they do. When we give the feedback back, then they hear about these things because we speak about it more openly. Because of the way that it's presented, it allows us to present the data in a way that doesn't terrify people because people are clicking, because we will never get away from the fact that people click on emails.
People have to click on emails. It's how you make the Internet work. What we can do is normalize the fact that this is a common threat sector, teaching people how to cope through it instead of just demeaning and undermining the fact that they do it and these things can happen. The way that they do it does help with that because of their variation of emails. They also can do it in different languages. Because we have people in different countries, it's more in a tone or language that they recognize, which helps as well.
Click rates always happen, but you can see that variation in the type of things they click on as well as the understanding of that for the organization. It is not just the employee, but also for the organization to understand the type of things that are being clicked on. CybeReady allows us to see this for the organization, but also for the employee who may just happen to be in a particular area where these things are more likely. For example, if you happen to get an email about finance, and you are in finance, then you may be able to see that this solution may create more of a click rate there, but it allows us to have a better conversation and build more resilience to allow people to see where phishing can happen across the board. Attackers use these everyday known things about organizations, such as everybody has a finance department. When it's these sorts of things, CybeReady does help.
CyberReady is positively engaged with the way that it writes its training and messaging, which is really helpful. Therefore, people don't feel "got at", which is really important.
Not only across the bank, but within my own team, they can see the effects of what simulated phishing can do. It moves people away from seeing click rate as the be-all or end-all to start having deeper conversations about what they are clicking on and what areas need clicking, and what can we do about that? For example, it may not have anything to do with training and instead it may be to fix some type of technology problem. This has allowed us to have a wider conversation about the effects on people. It is not just my team or other employees, but also the seniors who get the data from it. This has allowed them to have more open, reasoned conversations about what the data is really showing us and what we can do better to support people.
By using CybeReady, we have identified some issues in the bank, which we have corrected because of having CybeReady.
What is most valuable?
The general phishing training, which is BLAST in its normal setting, on a monthly, continuous basis has actually proved to be quite good and useful in showing trends.
I find the dashboard on the back-end for collecting data and the MI particularly helpful in the way that it is broken down, e.g., you can search and pull out any particular sort of anomalies or things that are interesting. It allows you to kind of find it for yourself because it allows for flexibility of particular areas and breaking them down, not just by location, but also by different management levels to different team areas. The fact that we can cut and slice the data in different ways allows us to be able to navigate, then present it back to people within those areas a bit better. So, it is a bit more of a nuanced view with a bit more context specific for them, which is always helpful.
They have a business review download that is a generic presentation, which we do use and then add it ourselves to give to our seniors. We don't always need to create the look and feel, as they provide a standard for that, which is quite helpful. Then, any additional information that people request or need for their area, we are able to dig in a bit deeper to give them a bit more content-specific stuff.
Even though the phishing emails are useful, I like the back-end and richness of the data that those actually provide.
We don't just use the BLAST tool. We also have the Continuous Awareness Bites (CAB) tool that we are trialing in the organization. That tool uses positive, open language to try and get people to engage a bit differently, and CybeReady understands how to do that well. I get people who say to me, "It should be more like this or that." What they mean is harder, less obvious. and more scary, but I don't believe in that way personally. So, it is really helpful for me to have the backing of CybeReady who is more like a partner to my way of thinking in helping change the mindset across the wider bank of what to do with phishing framing. So, it isn't just seen as a stick to beat people with.
We have just BLAST and CAB at the moment. We have also turned on the additional features, like welcome messages, messages to high risk people, and reinforcing messages that people are doing well. While I would not classify them as training, they are useful positive reinforcements for people and to give something back.
It can categorize people into high risk groups, meaning that:
- We can turn on the reinforcing message to people in those groups.
- On a team basis with the tool, we are able to look at the data, focus on those groups, and start to give more specific support and outreach to find out who these people are, why they may be clicking more, and so forth.
These breakdowns are useful in multiple different ways, not just through the tool, but for us personally as a team and our reporting.
The feedback that we get from CAB is that employees like it because it's straightforward and simple to read. It's not difficult, which is the main thing, and one of the most important things. They can just engage with it, if they want to and take it on board without being technical.
What needs improvement?
It is not difficult to do the customization. While you can customize the email, we would like there to be just a bit more upfront conversation about the types of emails that month. Because if there is one thing I get asked about in the bank, it is about the types of emails. I don't know if that's particularly needed, but it's something that I get asked about.
We have the generic reporting that comes out so we can download that at any time or at the end of the three month campaign. So, we have two generic reports. If we could section up the data in multiple, different ways, then we could create a report from that instead of just those two options. That would be helpful.
Buyer's Guide
CybeReady
June 2023
Learn what your peers think about CybeReady. Get advice and tips from experienced pros sharing their opinions. Updated: June 2023.
708,830 professionals have used our research since 2012.
For how long have I used the solution?
January 2020, CybeReady was brought into the bank. Then, it went into a testing phase, etc. We have been running simulations since June 2020, though I wasn't the person doing that.
I am currently the head of security awareness for NatWest, but I wasn't the person that brought in CybeReady. That was the person who was in the role before, and her name is Leslie. She met with CybeReady and decided to change suppliers to them. This was during the back end of 2019 when the actual decision to move to CyberReady was made. Then, I took over that job since Leslie left starting from September 2020.
What do I think about the stability of the solution?
The stability is really good. We have never had an issue with them. They are really responsive. In fact, I don't think we have ever had anything happen that would make me question that.
What do I think about the scalability of the solution?
We have about 74,000 members of staff, and CybeReady deals with them easily. We have leavers and joiners all the time as well. Therefore, we upload new data on every campaign about every three months. That just gets uploaded, sorted, and then all that works together. We don't have any issues with things like duplicate names. All of that is dealt with on CybeReady's side. We have never had an issue. So, it all works well, no matter the size or how many people are joining.
We actually had a thing where some of the email addresses were changing. The members of staff were still the same members of staff, but they would have different email addresses. CybeReady was able to deal with that in stride. They had no issue at all. In this case, about 50,000 people suddenly needed to have their email addresses changed.
How are customer service and support?
CybeReady's technical support is really responsive. I have always been able to get through to them quickly. They come back and investigate if there are any issues, just to double check. They are very clear. Probably one of the best things is the level of support that they give.
Because we have a good relationship with CyberReady, if people have any questions or things that they need, then we are able to reach out to CyberReady and ask more specifically if certain things can get added into reporting. Or if there is an issue, then can they double check it? Having that relationship has definitely helped reduce workloads. It has definitely lessened the burden because it's more of a partnership and collaboration between us to balance the effort into the phishing direction, which could, for a lot of people, take all of their time. However, it doesn't take all of our time since CybeReady manages the majority of the work for us.
When we have had some issues, we have asked for some double checking and they were able to provide that. Even though it is our infrastructure that may be causing the problem, CybeReady is able to cope with that, give us some feedback, help direct us to what might be the issue, and what they are seeing. This allows us to pull in the right people from our end.
Which solution did I use previously and why did I switch?
From what I know about the previous supplier and what the team used to have to go through to collect all of the MI for that, CybeReady has definitely reduced workloads. It is now a much more streamlined process on what we can offer or how we can offer it.
What other advice do I have?
Believe in the approach, where the emails don't need to be overly hard or difficult and in fact, it's the every day looking type emails that get people to click. Its the regular activity that is often the route in. Even though CybeReady's emails can look 'basic' sometimes, that is because that is like the emails you get every day in a workplace and the scammers know that. So it's not always about high gloss look and feel. CybeReady does that balance of the different sorts of emails well and the balance, to allow us to show people that it is often every day activity type emails that are just as risky.
I would rate CybeReady as nine out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.