The first step was to determine the current status of information security using TreeSolution’s Security Awareness Radar®. Next, TreeSolution’s Security Awareness as a Service provided support for actions for improvement. These included:

• Create concepts
• Customize training materials
• Create information on the subject of information security
• Create a roadmap with implementation measures

To expand and professionalize its own training material, the health insurance company became a member of the Security Awareness Club. This gave the company access to all of TreeSolution's training material. The Security Awareness Club is designed for companies that have little or no awareness material of their own but would still like to successfully train their employees. The material can be used flexibly as required for campaigns in the company, thus enabling continuous training and awareness.

The aim of the initiative was for all employees to assume responsibility for security in their working environment and to act appropriately when handling data and information. This was achieved through recurring and complementary measures on different channels (e.g., e-learning, security blog, intranet news, quizzes, presentations).

A memorable brand design on all of the media for the initiative was important in order to give the initiative a visual identity and thereby support the employees in better internalizing and implementing what they had learned. The topics were important, and their communication was therefore made appealing, so that the activities had a lasting effect, and the security culture was improved. Before the initiative, a measurement (Security Awareness Radar®) of the security culture was carried out, to be repeated after the end of the initiative.

The goal of the security awareness and support in the form of Security Awareness as a Service was to improve information security and train all employees. TreeSolution supported the health insurance company in advising and implementing security measures based on the results of the Security Awareness Radar® survey. TreeSolution worked with representatives from the departments to develop a common basis for implementing the initiative and made sure that everyone involved followed through on their commitment to work together.

The collaboration between the health insurance company and TreeSolution included the following:

• Creation of the program for information security, data protection, awareness, and training as well as the associated roadmap for 18 months.
• Implementation and evaluation of the Security Awareness Radar®.
• Creation of the communication plan with topics for news and blog posts, based on the employee feedback from the survey.
• Preparation and implementation of the kick-off workshop with all stakeholders.
• Involving employees in finding the slogan for the “Information Security & Data Protection” awareness initiative.
• Support in branding the initiative with logos and image.
• Revision and launch of the intranet site for the awareness initiative.
• Writing news and blog posts.
• Redesign of the introduction of the security department during the Welcome Days (introductory days for new employees). The presentation was made more interactive and entertaining. Based on various tricky situations that are told in the style of a thriller, new employees discuss case studies of information security.
• Compilation of the security toolkits (short presentations).
• Addition of the "Golden Rules" for a digital brochure and blog posts.
• Adaptation of e-learning to customer requirements.
• Conducting the phishing training with simulated attacks with fun resolutions.

An important part of the awareness initiative was the involvement of employees, departments, and management. The employees submitted ideas for the slogan and then chose the winner. The departments helped with the implementation and provided information and ideas for measures where necessary. A representative from management was the overall sponsor of the initiative.

The collaboration between the health insurance company and TreeSolution was crucial for the successful start of the initiative. It allowed the health insurance to minimize use of its precious time resources. TreeSolution kept the ball rolling with effective preparatory work and the coordination of the work packages. It was important to strike the right balance between "roadmap implementation and day-to-day business requirements" while not losing sight of the initiative's goals.

The results of the Security Awareness Radar® provided a detailed picture of information security and security awareness among employees. In addition, it became clear which topics and target groups needed priority training in order to increase security awareness in the company and to anchor information security in the corporate culture. This knowledge was integrated into the information security program, the news, and blog posts as well as other training material.

Thanks to the professional support in the form of Security Awareness as a Service and to the material from the Security Awareness Club, the health insurance company was able to start the initiative professionally and quickly.

The initiative was welcomed by employees. Many good suggestions were submitted, especially for the slogan. They also participated diligently in voting for the choice of slogan. The survey with the Security Awareness Radar® was also well received by the employees. They really appreciate that the health insurance company is so active in the area of information security and data protection.

All measures planned and implemented to date promote a security-conscious corporate culture and thus contribute to the “human firewall”. Through a holistic and continuous learning journey over a longer period of time, knowledge about information security is being constantly expanded and the security awareness culture is being established.

“Thanks to the support of TreeSolution, we have taken a big step forward in the area of awareness - now it's important to stay on the ball.”
CISO of a Swiss health insurance company

A robust security culture is fundamental and needs to be consistently repeated and promoted - many thanks for the survey.”
An employee’s comment in the Security Awareness Radar® survey

To leverage further the potential for improvement, the collaboration is being extended by a further 12 months. An overall program for information security is being created to continue a successful learning journey.

A further measurement with the Security Awareness Radar® will be used to determine how sustainably the campaigns have been received by employees and in which areas further measures and training are required.

The branding with logo, images, etc. will be used for further actions and campaigns to capitalize on the value of the brand recognition and thus promote security awareness even better.