Indian financial major IDFC held a group-wide information security awareness initiative in February 2012 that gave a twist to the way such exercises go. Christened I-SAW 2012, this initiative was the brain child of IDFC’s IT team spear-headed by Uma Ramani, the vice president for information technology at IDFC. Ramani devised a novel method to elicit voluntary involvement from the employees by enlisting Pune-based e-learning firm Netex to design an interactive portal. Designed akin to a Mafia don’s den, the portal featured objects linking to information security resources and news compiled by the in-house team.
Response to many of these activities, including the last day’s speaker session, was really inspiring...
Sunil Kakar, Chief Financial Officer(CFO), IDFC
According to Ramani, different approaches had been considered for this information security awareness initiative. The IDFC team required a theme based method which captured user interest and created information security awareness — in a manner enjoyed by employees. V C Kumanan, the senior director for IT at IDFC explains that information security awareness initiatives are usually mandatory. The use of a lecture-based approach which seeks to dispense ‘Gyan’ fails to generate interest or enthusiasm for security. This sets back the creation of information security awareness.
Ramani’s team created a storyboard, where the portal’s information was woven around a comic strip. Mr. Gobo, the strip’s main character, is a ‘reformed guy’ reminiscent of Kevin Mitnick, says Kumanan. This became a hit with IDFC’s end users, as Mr. Gobo became the information security awareness initiative’s mascot. Mr. Gobo and his cohorts set challenges to be cleared at the end of each story. Each day was given a theme which included passwords, social engineering, social networks, physical security, blackhat hacking and malware.
In addition to these games, daily quizzes related to information security awareness were also conducted along with prizes. Other information security awareness activities during the week included a daily half-hour open forum called the ‘Technology Sabha’, where employees were encouraged to participate in panel discussions on the day’s topic. This was shown as a Webcast across all IDFC locations. D Sivanandan, the ex-DGP of Maharashtra police was a guest speaker on the final day. “Response to many of these activities, including the last day’s speaker session, was really inspiring,” says Sunil Kakar, the chief financial officer (CFO) at IDFC.
According to Kumanan, the initiative saw spectacular success, with the involvement of close to 70% of IDFC’s 600 strong workforce. While initiatives have been held previously, this was the first time that information security awareness happened on this scale at IDFC, adds Kumanan. The occasion was also used to get user feedback through a survey, which received close to 30% response. Kumanan says some of these suggestions might be put into effect in the coming months.
The team signed off with a mailer that highlighted areas of improvement in IDFC’s security posture. The team intends to address these individually to disseminate information in concentrated doses. Kumanan is in the process of formulating a strategy to capitalize on and sustain the awareness and interest generated by this information security awareness exercise.