Why Gareth Thomas created a social media style security awareness training program for Lloyds Bank Group

Senior Manager of Security Education and Awareness at Lloyds Bank, Gareth Thomas drew inspiration from social media platforms when he created Safe & Secure, a branded security awareness training (SAT) communications function. Tasked with maximizing employee SAT engagement, the 6-person team's fun and innovative approach has helped transform security culture at Lloyds. Here’s how, and why, they created a social network-style communications experience for SAT.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

Key takeaways

  • Safe & Secure is an internal cybersecurity communications brand that's geared for engagement
  • Gareth used his background in media to make cybersecurity fun and engaging
  • Safe & Secure is built on a social media-style experience of short videos and memes that make cybersecurity lessons sticky and scrollable
  • The heart of the Safe & Secure experience looks completely different from the technical infrastructure on which it’s built because it’s made to be interactive and engaging

HOW TO IMPLEMENT A SOCIAL NETWORK FOR SAT PROGRAM

According to Gareth, it's clear that a key element to successfully implementing a social network approach to security awareness is having the right team with diverse skill sets. It's important to invest in talent that can create high-quality, engaging, and tailored content. Outsourcing can be an option, but having an in-house team allows for quicker response times, cost-effectiveness, and customized content that aligns closely with the company's culture and needs.

For organizations considering this approach, it's essential to start by understanding their audience, what resonates with them, and how they consume information. Building a strategy that combines these insights with high production values, creativity, and the right timing can significantly impact security awareness and behavior within the organization. Remember, it's not just about conveying a message; it's about making that message memorable, engaging, and actionable.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]Be daring. Try different things. See what happens, and maybe it'll be a massive success.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Gareth Thomas, Lloyds Bank Group, Senior Manager of Security Education and Awareness[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

What is Safe & Secure, and how is it helping Lloyds achieve what you call, "Commitment over compliance" in security awareness?

We run our security information and our education as much as we possibly can in a really engaging and entertaining way… We have a brand that we communicate under, which we call Safe & Secure… and we try to make it as engaging and as enjoyable as possible.

My daughter often says strict parents breed sneaky kids, which I think is a great quote. What I'm looking for really from our audience is commitment that they know that security is important, and they truly believe that. And that even when nobody's looking, they want to do the right thing. And if if I could get people, across the whole group to be truly committed to security, then I then I know that I've succeeded enough. I've won in my quest. This program is about commitment over compliance.

Why did you take a social media approach to security awareness training?

When I joined the role, there was existing mandatory training, and some of it was really good… But, honestly, I don't think it was engaging enough…

And so we started to think, ‘Well, how do we make this as fun as possible?’ And that's where we've adopted the approach, really, of making it more like social media. You know, it's a really crowded marketplace when it comes to communications. In a big corporate like Lloyds Banking Group, it's fifty eight thousand people who work for us. There's countless different departments all talking about all different things. They're all important. So how do you differentiate yourself? How do you make your message be heard? And it's not as simple as just going to, you know, the corporate head office and saying, hey, guys, will you just talk about security for me?

They kinda go, well, I've got a lot of other other stuff that I wanna talk about. So, really, we have to forge our own path and make our content more interesting than everybody else's and differentiate it. And you think, ‘Well, how do I do that? What are people looking at in their own time?’ And it's social media.

They're looking at their phones. They're absorbing content in lots of different ways. And there's so many very clever people working in social who have caught on some really great psychological reasons for doing things. And we've gone: How can we be inspired by that within the constraints of a corporate? And really, we've tried to be as different as possible.

What does a branded cybersecurity social media company look like in practice?

Safe & Secure is a communications brand that's quite deliberately not organizational. So our organizational brand, like many companies, is the chief security office. And they have to be serious. They've got a really serious job to do. They’re facing into business stakeholders, and they're announcing important (corporate) things. So we think that actually communicating as the Chief Security Office has a different feel to the kind of persuasive social element than we're trying to achieve.

So we start by saying we're Safe & Secure. We've got our own color palette. It's trying to be what it says on the tin. It's trying to get that feeling that I want to be safe and secure. And we're pulling on the motivations that people naturally have in their lives. So they want to keep their elderly parents safe. They want to keep their children safe. They want to avoid being scammed. You know? They want useful information that they can use in their own life.

So for example, we use Yammer… extensively to create a stream of content that’s constantly being updated so that people have new content to constantly see, and new messages to see. So we might have the latest scams, which we keep up to date. It might be a campaign that we've got related to something that's happening in the world.

What’s an example of that reward-based social media design in your Safe & Secure program?

So in the UK, there's a really popular baking program. I don't know if, you know, people around the world get that. I'm sure people do, but we will have our own baking competition if that's what we want.

The Football World Cup and the Women's and the Men's Football World Cup, we tapped into that as well.  So we created a campaign around that, where each team had its own  page. That page carried a story about a cyber attack in that country. You could collect the stickers off each page and put them in your virtual sticker book.

So every individual when they went to the site, there was a cookie that personalized their sticker book, and as they opened their sticker book digitally, it all opened up, like beautiful pages. And there were empty spaces. And, of course, the natural psychology for people is to want to fill in those spaces with stickers.

So they were going backwards and forwards between the sticker book and going, ‘I haven't got Finland.’ Right. Quick. Go and read the article about Finland, and then you know, they've got a complete sticker book. And at the end of that, if they've completed this sticker book, they got a prize and those kind of things. So those kind of little apps and things are really appealing. So we're constantly pushing content to people.

What kinds of problems are you trying to solve and how do you do that through content?

Depending on the problem and what we're trying to solve, we'll think, well, how do we do this differently? So one of the things that we face is people trying to scam employees through WhatsApp. Now WhatsApp is not one of our strategic communications tools. That's not a work tool.

But, of course, people were getting messages coming in saying, ‘Oh, it's your boss's boss here. I need you to buy me some gift cards’ or something. And we wanted people to experience what that was like in a safe environment. So as we're writing an article about WhatsApp and communications and that kind of thing, we actually created a simulator. So it took the information about the colleague that was looking at that page. It found out through our active directory what their name was, their boss's name was, and what their boss's boss's name was, and we crafted it so that it looked familiar as WhatsApp. It showed their boss's boss contacting them, and it quoted their boss's name saying, oh, you know, so and so has asked me to get in touch, that you'd help me. I'm away at the moment. I need you to get me some vouchers and send me that spreadsheet.

And it was really interesting because you we had people phone us up and go, ‘How? What? You've used my name and my boss's name on this page, and I don't want everyone seeing that.’ And we’re like, ‘No, it's personalized to you. It's just you that's seeing it.’ That kind of delight Is what you find on social media. It's that surprise, it's that kind of addictive element to it that that we're trying to to get across to people.

Do you use multi-media to to push people along a content journey to security awareness?

There's a very popular social media network. You may have heard of it. It's called TikTok. It's very popular with the children. My daughters are never off it. I don't personally have it, but it's really popular. Or, you know, YouTube shorts. Same deal, right? So these kind of reels, these short videos, fifteen seconds, and I have to admit that I've been on YouTube shorts. I am finding myself looking through these videos. And then an hour has gone by, and I kind of emerged from this strange coma that I've been in thinking, What have I been doing? Where have I been going? We sent well, that looks good. We've got to do that.

Now we can't send colleagues off to TikTok. Sites like that quite legitimately are not accessible through the group. So we created our own. So we've got Microsoft tools, but there's no TikTok version. You know, the Microsoft suite doesn't supply a TikTok style player, so we built our own. And I've got a very clever guy who works for me who created effectively a page for video reels. And the rest of the team all kind of pitched in and said, ‘Right, we can make reels.’

We all learned to do it and we've made over a hundred now. We got colleagues who said, do you wanna make a reel? They're like, yeah, I'll do that. And they're sending us stuff, some really clever stuff, too.

And now when a colleague goes to that page, they get a reel and then when that's finished--fifteen, twenty seconds, all about security--it automatically scrolls to the next one and plays you the next video, and the next, and the next, and the next, it just goes on and on. And they're all different. They're all got their own little quirks and stuff.

We've had colleagues say, you know, I watched one fifteen second video, and then half an hour later, I realized I was late for a meeting. We're like, yes. That's amazing! Yes. We've done it. You know, we've hooked you onto security training, and you didn't even realize that you were doing it. So that's that's the the the joy and the brilliance of social media, I guess, and why we think that that is the way to go forward.

How do you measure the success of your SAT social media program?

We have a branded newsletter. We pick out the very best of our content from that month and it highlights what's coming up, and we publish those and send it out to the company. We get a cracking click-through rate. Really, really good.

It's always a little bit hard to measure sometimes because the tools that we've got are not designed for this kind of stuff. They're designed for office collaboration. So when you try to use them in a slightly offbeat way, like, you know, putting a shorts platform on, that is sometimes a bit hard to measure. But we do get a really good click-through rate, and people do enjoy that kind of stuff.

So, you don't employ six people (as we have in Safe & Secure) and then go, ‘Well, you know, it doesn't matter what you're achieving.’ They (leadership) are very keen to know. And I feel a duty as the lead of the team that we can supply evidence that we're doing useful stuff.

Now, how do you link (security) behavior to an article or to an individual piece of education or even, a whole stream of education? It's really hard to do. So we know that people come to our content. We get… in the millions of views or millions of impressions. Which is amazing. It makes some of our communication professionals come to us crying (in jealousy over) the amount of footfall that we get through our site.

We've got all the normal analytics of unique visitors, visitors, times of day, all that kind of stuff. All that you'd expect to do. And, obviously, we're monitoring really closely all of the things that we could measure within any security organization.

We have a phishing simulation program like many organizations do. So we're looking really carefully about that and everything from, you know, how many people lost their password to you name it. So we try as much as we can to keep a close eye on that. And if we see any of those going the wrong way, we'll create a campaign immediately to try and combat that particular risk that's increasing.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]We run phishing simulations, about two a year. And we've changed the dial on that a lot... One of the most powerful things we did actually was send out a Goldfish Award. And it was to everybody that had spotted and reported a phishing simulation. They got an email that had nice graphics, lovely production, but it just said, you know, “You're awesome! We really appreciate you. You spotted it, you reported it, and that's brilliant.” And then if you spotted it and didn't click on it, but you didn't report it, we said you're still awesome, but you could be even more awesomer... [.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Gareth Thomas, Lloyds Bank Group, Senior Manager of Security Education and Awareness[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

Phishing for praise in security awareness: The power of positivity

Eliot Baker: What's interesting, because it’s similar to what we do too, as we take a very positive approach to this and rewarding to kinda help security raise their profile, to help people find out that cybersecurity is cool. They're approachable. You go from being the hall monitor to the popular kid in class. And I wonder if that's something that you've talked about, not just with your own team in Safe & Secure, but beyond. Have you found that you've elevated the whole profile of cybersecurity with an enjoyable, engaging experience around awareness?

Gareth Thomas: It is really easy to see security as the ministry of no. People don't always see cyber risk on a day to day basis. They don't see the companies around them going down, and they kind of think it's all hypothetical because it's never happened to them. People install burglar alarms the day after the burglary, you know? It never happens to you until it does happen to you. You mentioned positivity.

We run phishing simulations, about two a year. And we've changed the dial on that a lot. I know that you've spoken about phishing simulations before on this show.

One of the most powerful things we did actually was send out a Goldfish Award. And it was to everybody that had spotted and reported a phishing simulation. They got an email that had nice graphics, lovely production, but it just said, you know, “You're awesome! We really appreciate you. You spotted it, you reported it, and that's brilliant.” And then if you spotted it and didn't click on it, but you didn't report it, we said you're still awesome, but you could be even more awesomer. (Laughing) I don't think we used those exact words, but nonetheless, we said, “Brilliant. But don't forget next time to do this.”

The feedback we got on that was incredible. People were like, oh, I appreciate it. It crashed our mailbox. People were replying to us saying, “Oh, thanks! Thank you.” You know? Because it felt like for a long time, security was that, “No, no, no, no, no,” and they looked sternly at their shoes and then disappeared off again once they told you off.

But to be to be rewarded and thanked for for something, you know, as perceived as being unimportant, like reporting a phishing email, which actually is one of the most important things people can do. We were really excited about it. And I kid you not, we had one person contact us saying, actually, life's been a bit rubbish for me, and I've been really down, and this just lifted me this morning.

Eliot Baker: That's amazing.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]The feedback we got on that was incredible... It crashed our mailbox. People were replying to us saying, “Oh, thanks! Thank you.” You know? Because it felt like for a long time, security was that, “No, no, no, no, no,” and they looked sternly at their shoes and then disappeared off again once they told you off. But to be rewarded and thanked for something perceived as being unimportant, like reporting a phishing email, which actually is one of the most important things people can do. We were really excited about it. And I kid you not, we had one person contact us saying, 'Actually, life's been a bit rubbish for me, and I've been really down, and this just lifted me this morning. And it brought a tear to my eye reading this email because I couldn't believe it myself. Saying thank you is so important, isn't it?[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Gareth Thomas, Lloyds Bank Group, Senior Manager of Security Education and Awareness[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

Gareth Thomas: I know. And it brought a tear to my eye reading this email because I couldn't believe it myself. Yeah. Saying thank you is so important, isn't it?

Eliot Baker: It is. It's amazing what can happen when you replace the stick with a carrot at scale. It's amazing what can happen when you stop slapping people's wrists and start giving them high fives. Obviously, Hoxhunt is predicated around phishing training. But the approach is really similar, philosophically, to what you've been talking about. It's rewarding people. It's making it engaging and fun and making people feel a real sense of shared responsibility as opposed to being afraid of being putting in the stockade, being put into solitary confinement for causing any kind of a problem. So, that's a great story to finish on.

Gareth Thomas: Well, we're all trying to do the same thing. Which is to keep everybody safe and keep the criminals at bay, really. So it's been a pleasure to talk to you and great fun too.


Watch the whole video

Gareth and his social media-style SAT program are innovative and inspiring. Cybersecurity can actually be fun! The above portion of the conversation is just scratching the surface. Watch the whole video for practical tips and insights into building a different kind of security awareness training program.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this