- Improve the airport’s cyber protection
- Create awareness on cybersecurity and compliance
- Make cybersecurity a corporate organisational process
- Proofpoint Security Awareness Training
- Developed awareness of cybersecurity threats and best practices
- Implemented an efficient and user-friendly cybersecurity platform
- Gained the ability to customise content and carry out ad hoc tests
At the airport, all forms of security are essential. Not only physical ones, but cyber ones too. The airport therefore has a series of compliance obligations that become increasingly stringent over time. These are defined by national, international and sector authorities, such as ENAC. Failure to comply with these rules could lead to economic sanctions, some of which can be very heavy.
To comply with these regulations, the airport’s security team needed to implement training processes on topics such as physical security, airport safety and, for some time now, cybersecurity. And as with any service to the community, business continuity must be guaranteed. This includes the security of the information that passes through the airport’s information systems every day.
“As with physical security, cybersecurity depends, to a large extent, on the behaviour of individual users. And many of our users don’t have a standard workstation, but carry out their work with mobile and shared tools. We also need to be able to reach colleagues who, for operational reasons, have specific training needs,” explains Luigi Ricchi, information security manager at Bologna Airport.
Their second, but no less important, objective was to include cybersecurity among the established business processes at an organisational level. This would take it out of a purely technological sphere and extend its scope to a full-fledged corporate function.
The Bologna Airport team decided to create a set of corporate best practices aimed at employees, which would raise the overall level of security. After a European call for proposals for corporate cybersecurity training projects, they launched the selection process. And after careful analysis and evaluation, they chose Proofpoint.
Proofpoint Security Awareness Training was selected for its ease of use. And because it gave the airport’s IT team the ability to directly manage the content, customising individual actions.
“The direct support we received from Proofpoint was particularly helpful in this first phase. We had a resource with us step by step through the implementation and customisation process. This ensured that the platform would respond perfectly to our wishes,” adds Luigi Ricchi.
With Proofpoint Security Awareness Training, the team was able to implement a modular training plan. They started small, with only a limited group of users. The goal was to verify their degree of knowledge of cybersecurity principles and determine how well they adhered to behavioural guidelines. They launched these knowledge assessment tests and simulated phishing attacks, targeting various categories of employees in the company.
The first phase, the training phase, was successfully implemented. Then all 540 employees at the airport were involved, with positive results in many respects. Employees are tested on an ongoing basis with customised content, which can be varied from time to time, using different templates that are always up to date.
“The Proofpoint platform is comprehensive, the content is updated in a very timely manner and it’s linked to current events. It’s simple and easy to use. Its great flexibility has allowed us to reach even employees whose work does not involve using a PC every day, but who may still have access to potentially critical systems that are connected to the company network,” adds Luigi Ricchi.
They started the training with an initial 50% positive result for their simulated phishing attacks. They used different lures and techniques, such as sending fake invoices from shipping companies or dangerous links related to current topics. This tested the level of “risk understanding” that their employees have regarding email messages.
After the first training and awareness programmes, the number of reports of phishing messages increased significantly, reaching a positive result of 70%. The airport’s goal is to reach 80% with at least 90% of the airport population involved. The test sessions—a minimum of six per year—are combined with classroom training to educate employees on the evolving threats and the increasingly sophisticated techniques used by cyber criminals. They give them the knowledge and tools they need to defend themselves, not only when working, but also at home. And all employees who reach a threshold of 80% receive a certificate of success.
“We have embarked on a path that puts all employees at the center of the process when it comes to cybersecurity, and not just those dealing with technology. Our people have become our first line of defense, so training and awareness are crucial. We know that everyone’s behavior can make a difference. And with Proofpoint, we have a powerful and effective tool to be able to continuously improve awareness levels throughout our organisation,” concludes Luigi Ricchi.