Securing a Global Workforce: How OLX Group Dropped Employee Phishing Susceptibility Rates More Than 90% in 6 Months
Mariela Di Bartolomeo is the Risk and Controls Coordinator at OLX Group, a global product and tech group with over 5,000 employees and clients in more than 40 countries. She works out of the company’s Buenos Aires office, where she helps audit the organization’s information systems and leads OLX’s employee security awareness training program.
A client since 2017, OLX used the Infosec IQ awareness training platform to drop it’s employee phishing susceptibility rate more than 90% in six months. We sat down with Mariela to hear what she has to say about the platform, and learn how she achieved such great results in a few short months.
Why Did You Select Infosec IQ as Your Training Platform?
Mariela: We needed to increase employee security awareness at OLX, so we started pursuing security awareness training programs for our employees. We looked at three vendors and selected Infosec IQ as our platform.
It was important that we could access all training tools in one place. Infosec IQ fit our needs because it offers phishing simulations, awareness training modules and analytics in one platform. With employees in several countries, translations and closed captioning were also important. We use the translated modules with closed captioning to give training to employees in their native language and ease the comprehension and understanding of the content.
How Do You Use Infosec IQ to Improve End User Security Awareness?
Mariela: We run two-month employee awareness training campaigns every quarter. Each new awareness training campaign starts by gauging the level of security awareness for each office location with a phishing simulation. After that, we launch a series of awareness training videos. Employees then take an assessment to measure what they’ve learned. One month later, we launch another phishing campaign and compare the results to the previous simulation to measure progress overtime.
Following this approach, we’ve reduced our phishing susceptibility rate more than 90% in six months.
Do You Target Awareness Training to Employee Role?
Mariela: Yes, we use different learner groups to send targeted training to employees by role. We have three core groups for awareness training campaign delivery — non-IT staff, developers and infrastructure employees. Sometimes, we break these groups into as many as 18 subgroups to help achieve specific goals, depending on business needs.
We also offer 18 different training modules to our IT team. These modules cover more technical topics like SQL injection and Cloud security.
Are You Satisfied With Infosec IQ Client Support & Services?
Mariela: Customer service is always super fast. Platform implementation also went really smoothly — it’s very intuitive. After my first implementation call, I was able to run the entire platform by myself without requesting additional training.
How Do You Encourage Employees to Participate In Awareness Training?
Mariela: Security awareness training is mandatory for our employees. We give employees three weeks to complete each training campaign. That’s about 1.5 hours of training per person in three weeks.
We reward users for participating in the training by sending an email congratulating the region or learner group with the highest completion rate. After the assessments, we send the groups or regions with the highest score a reward, like candy or dinner. In the past, we’ve taken pictures of employees enjoying their rewards and shared them in our internal community. These efforts have helped us reinforce the importance of the training and encourage participation. It’s worked well for us, and employees really enjoy it.
How Do You Share Program Results With Your Leadership Team?
Mariela: I pull Infosec IQ training analytics after each campaign and share results with my leadership team. I’ve found it’s best to keep these reports brief — I usually summarize key findings in a PowerPoint or email.
My leadership team is excited about the results we’ve seen from the Infosec IQ awareness training. I’ve received many compliments from top management — they are happy to see we’re delivering a training program to our employees that’s getting real results.
Do You Have Any Advice to Share With Other Awareness Training Program Managers?
Mariela: My advice is to start with a clear structure for your program before looking for a platform. After that, seek advice from your security team about program goals and capture buy-in from your leadership team. Without buy-in from leadership, your efforts will be pointless. Employees will not complete the training if your awareness program is not supported by senior management.
It’s also essential you find ways to engage your Human Resources department. At OLX, they’ve played a critical role in helping us communicating program expectations and driving employee engagement.
We send Infosec IQ training completion reports to our Human Resources team each week, which helps them identify employees who haven’t completed the training. They use that information to send training completion reminders to managers and employees. It’s a big help and really captures people’s attention.
Would You Recommend Infosec IQ to Your Peers?
Mariela: Yes, I would. It’s an excellent platform. If you’re just starting your first security awareness training program, this is the perfect tool for you. You don’t need IT knowledge to run it — it’s super easy to handle.