How FARFETCH Maintains a Strong Cybersecurity Culture During the Pandemic
By
Victoria CView All Posts
Bridging the gap between Information Security and the Business. Cyber Security is a passion of mine and having Coach bags.
Top Stories
1 - Cybersecurity Threats to Watch Out for in 20202 - How FARFETCH Maintains a Strong Cybersecurity Culture During the Pandemic
For several organisations, working from home has become the new norm. We have become virtually paperless, conference calls have replaced face-to-face meetings and cyber threats have increased rapidly. As a result of the pandemic, we are facing a changing cyber threat landscape. No matter where an organisation sits on the cybersecurity spectrum, the pandemic has made it harder to maintain information security protocols. Companies have had to adjust their protective security layers in order to reflect the ever-changing threats and new working practices.
At FARFETCH, we have always recognised that ensuring our Farfetchers are equipped with the right knowledge, understanding and tools is the way to help us set a strong unified cybersecurity culture.
An Information Security Training and Awareness Program influences Farfetchers to continuously adopt positive security behaviours in this ever-changing world. Understanding their roles and responsibilities is an important part of that.
To achieve this, we have stayed connected with our Farfetchers by making the Information Security Training and Awareness programs engaging, interesting and relevant while working remotely.
1. Training and Awareness
Farfetchers are our first line of defence against criminal cyber activities. Therefore, we continuously reiterate cybersecurity best practices, so they are second nature both inside and outside of FARFETCH. We ensure this is the focal point throughout our training and awareness strategy.
We carry out several activities to ensure we keep the subjects and contents relevant and interesting. These include but are not limited to:
- Online eLearning Program - breaks down Farfetchers roles and responsibilities when it comes to cybersecurity, enforcing our theme of ‘security is everyone’s business’. We follow-up the training by measuring their understanding of what was taught
- Face-to-Face - we conduct online training for new starters. These sessions allow us to engage with Farfetchers and enables Q&A
- Regular Internal Blogs - keeps our Farfetchers up to date with the latest and relevant cybersecurity trends
- Mandatory Policies - we review our policies annually and ensure they are inline with our legal and regulatory responsibilities
- Newsletters - ensures we share important information with Farfetchers
- External Virtual Events - we invite external subject matter experts to present in their field. These events will reinforce our program message and share their own experiences
- Gamification - we create events where Farfetchers can win different prizes. This allows us to do two things, marketing cybersecurity amongst Farfetchers while keeping things interesting and fun. Feedback has helped us understand that our Farfetchers are more motivated when training is gamified. Additionally, they are more engaged and we see these results in their attitudes towards identifying threats and making timely decisions.
2. Simulation Awareness Campaigns
Over the last 12 months, Social Engineering - which is the art of manipulation of human behaviour - has seen a huge increase. According to KnowBe4, March 2020 saw a 67% increase of phishing attacks, while Google identified more than 18 million daily phishing messages with coronavirus themes within just one week in early April 2020.
Our Farfetchers are our human firewall and as such, in order to prepare them in the event of a social engineering attack, we train and educate them by carrying out annual simulated phishing awareness campaigns. These campaigns are managed in a number of ways, i.e. we carry out a global phishing campaign, spear phishing campaign etc.
3. Measurement Metrics
Once you have carried out your cybersecurity program, how do you measure its effectiveness?
There are several ways FARFETCH measures its program (this is not an exhaustive list):
- Annual survey of how well we are doing against our cybersecurity baseline
- Regular internal and external audits to ensure regulatory compliance and understand where our gaps lie
- Review metrics against business objectives and goals to ensure it is still aligned and measurable
- Behaviour change to identify if there is a shift in habits
- Training and Awareness tests allows us to review how well Farfetchers were able to absorb the information
- Feedback Forms lets us know how well we are doing and understand how best to engage with our Farfetchers
One of the key findings from the various campaigns we manage, is that the more we reinforce the same message in different communications, it becomes a habit and thus becomes second nature. Our aim is to ensure FARFETCH’s culture stays security focused.
Consistency when managing a cybersecurity program is key to success! Cyber Security threats can never be completely eliminated; they can be reduced by putting controls in place. The objective is to ensure after completing the program, Farfetchers have a more serious appreciation of basic cybersecurity.
