Wajax Corporation is an industrial products and services provider based in Canada. Since 1858, Wajax has been enabling major Canadian industries to run their operations smoothly by providing parts and services for diverse sectors of the Canadian economy, including: construction, forestry, mining, industrial and commercial, oil sands, transportation, metal processing, government and utilities, and oil and gas.

Wajax’s website states: “For over a century, Wajax has been a driving force behind Canada’s industrial landscape. At the heart of our legacy is not just machinery and technology, but people who breathe life into our vision.” Considering such a strong focus on people, the human side of cybersecurity holds particular relevance to the organization. From the C-suite to the field technicians.

The security team at Wajax decided to invest in Cybersecurity Human Risk Management with OutThink in order to raise their level of security culture and help personnel learn and achieve secure behaviors. Led by Daniel Tobias, Director of Information Systems, the move from a compliance-first approach has been effective for Wajax and received well by its employees.

Hard to actually impart knowledge Security awareness training is a required activity according to most compliance standards and frameworks. In theory, if we train our users they should be able to learn secure behaviors. But when training is once a year, not tailored, perhaps a little bit boring, and required, the practice of that theory is not quite as effective. The Security team at Wajax started to notice this disparity several years ago, which is why they decided to change their approach to introduce elements of CHRM. The first step in the CHRM Framework is to switch awareness training to an Adaptive approach.

Too much chasing of completions One of the well-established stumbling blocks of a security awareness program is getting users to complete their training. It’s the best-known secret in the security awareness industry. Just getting to an acceptable completion rate (over 90%) is hard. Getting engaged completions, one would think is even harder, but that turns out not to be the case. When users are presented with content that’s relevant to them, that is fresh, lively and modern then completions become a lot easier. Relevance means users can learn the few things they need to know but never understood.

The OutThink platform has a wealth of training content that can be tailored to different types of users. High risks users, who experience many attacks due to their roles in finance or procurement have very specific needs. These are very different than the needs of the techs in the field or on the shop floor. OutThink content meets users where they are, and because the content is tailored to them it helps engage the users more. There are many examples of users telling the Security team they finally understood some aspect of security they didn’t know before. Like how to unpack a URL to see if it’s malicious or legit. Or that an urgent, unexpected email might be a red flag to a phishing at- tempt. Reporting rates jumped! Many users have also asked if they are able to share the content with their family and friends to help educate them on how to identify and avoid key cybersecurity risks. Another aspect of the OutThink solution has been much richer metrics that allow Wajax to track many dimensions of security behavior, including: Click rates Credential capture rates Reporting rates Metrics by department and by segment

The wealth of metrics in OutThink has enabled the Security team to create regular scorecards for the leadership across the company, even the CEO. Security has experienced a significant rise in C-level engagement, all the way from the CEO to local field leadership looking at monthly reports from Security to check on the direction the company’s security culture has been trending. Security’s approach can now be different towards specific segments. For example, the set of high-risk users in Finance, HR and Supply Chain get refresher modules to raise competence at the specific attack tactics targeted at them. In pursuit of 360-degree engagement, the Security team also examines the user input collected seamlessly through the OutThink platform. There are multiple learnings Security has had a chance to take onboard. These learnings help shape policy, and implementation of policy for specific user subsets. In one example, a set of field techs expressed that having to reauthenticate every two hours on their mobile phones impeded customer service. This input came through the SAT platform. Having changed that requirement to every four hours, for some techs, increases their productivity, and their level of positive engagement with Security.

Do you feel like OutThink has successfully tackled the challenges? "Yes and the best way to describe the OutThink platform is to say it is Robust and Relevant. The depth of content and ability to tailor make it so much easier to bring relevant content to every user. With the great training from OutThink we’ve been able to get notable increases in user engagement.” Daniel Tobias - Director, Information Systems, Wajax Corporation