Wayfair Tech Blog

Do Your Part. #BeCyberSmart

October is National Cybersecurity Awareness month, and Wayfair believes security education and awareness is a critical component of our overall security program. This blog will outline how Wayfair’s Cybersecurity Awareness Program educates employees on how to act securely in the workplace and in their personal lives.

Wayfair’s cybersecurity awareness program has evolved over the years - as our company has grown, so has our focus on equipping employees with key security tactics to keep themselves, our customers’, and our suppliers’ information safe.

Despite these iterations, our underlying belief that our employees should be prepared and protected from cybersecurity threats has remained constant. Along the way, we have learned a few tricks that work and a few that don’t to ensure our employees have access to the most relevant information for themselves, their families, and their jobs. We have particularly seen high levels of engagement by making what can often be a scary and overwhelming subject interactive and fun!

Driving Engagement

Education research no longer supports the idea that people are either singular auditory or visual learners, instead encouraging the development of lessons that engage more than one sense and to repeat and reinforce these lessons in a variety of ways. We’ve found this to be true as not everyone engages with a topic like cybersecurity in the same way. People respond differently to various formats - some prefer video, some prefer emails or blog posts, some like memes or posters, some prefer contests, and still others prefer more interactive content.

Because of this, we offer a variety of awareness approaches to drive engagement. We also take the approach of creating an array of content since security to connect with different audiences. For example, our engineers may want to go deeper into secure coding practices while our customer service team may look for more information about how to protect our customer’s information.

Taking into account learning preferences, we have encouraged cybersecurity education through ongoing awareness, by engaging new employees earlier in their tenure, and through targeted events and initiatives at different points during the year.

Ongoing Awareness

Throughout the year, we focus on several core awareness activities. We require an annual computer-based training exercise to cover the basics - phishing, ransomware, access control, PCI, and general security policies - that serves as a refresher for all employees as well as a space for sharing updated information and security tips in these areas.

We also go phishing ourselves. Our monthly phishing tests go out to large cross sections of the employee base and we provide instant feedback to the user if they click through or enter their information. We gather data from these regular exercises and measure results over time in order to keep a pulse on the effectiveness of our training. This actually led to an important observation a few years ago. We noticed that new hires were more likely to click through a phishing email compared to tenured employees. So we started developing content to engage new hires much earlier in their Wayfair journey - as early as their first week! To be fair, we do inform employees to expect a phishing email from security in their orientation session. We treat it as a fun exercise for all involved and we are very clear that we are never trying to “get” our employees - we are trying to help them improve.

We also send targeted awareness emails to new hires and work with internal communications teams to send reminders and updates across the entire company to reinforce secure work habits.

October Cybersecurity Awareness Month

We take advantage of the national awareness that Cybersecurity Awareness Month provides and go above and beyond our usual ongoing activities. And since this happens to coincide with Halloween in October, we have driven engagement by connecting the two themes. For example, we created a discussion forum called “Spooky Security Stories” where security practitioners at Wayfair can share either a real or imaginary “nightmare scenario” with the audience. (For those that really want to be spooked, a favorite is the story of the single hard drive Maersk flew to headquarters that allowed them to recover from NotPetya).

We also created interactive events aimed at building connections between our employees and cybersecurity team in order to make the topic more approachable - such as an “Ask Me Anything” with our Security leadership team and a career fair for aspiring security professionals. For employees who want to develop or practice their security capabilities independently, we offer security themed scavenger hunts, security based trivia, and a capture the flag (CTF) event.

Gamification

In coming up with these events, we have found that there is a benefit in gamification, where we encourage a little friendly competition and give out accolades and prizes. Often those prizes are security related - like a shiny new Yubikey - which helps further spread and reinforce best practices.

One event we ran for the first time last year was a “capture the flag” exercise that was so popular we are running it again this year. For the event, we asked people to form teams and hack away at a demo application. The goal is to find a series of hidden "flags" as teams progress through increasingly difficult challenges in the environment. The leaderboard is made available to watch in real time and participants are able to see which teams take a more aggressive approach and which teams play a more slow and steady strategy. Last year, we saw a few leader changes towards the end event that made for an exciting finish! This event is open to all employees, but we typically see the most active participation on the Engineering team. We like to think that by encouraging developers to learn how their applications could be hacked, they’ll be better prepared to code defensively against those same types of attacks.

Another fun event we have run is our scavenger hunt, where we hide emoji easter eggs (or maybe I should say pumpkins instead) in various places across our security and policy documentation. The first person to report each hidden location is awarded a prize.

Outside of Work

From time to time we’ve identified a need to educate our employees about security issues that can impact their personal lives. We’ve provided social media security guides for those who want a little help securing their personal social media accounts, and we work with our parent focused resource groups to provide advice on how to keep kids safe online. While these may not be initiatives that directly drive security at Wayfair, even indirect engagement helps spread awareness and raises the bar for security everywhere.

Closing Thoughts

Security can be a complex topic, and we need to engage our employees in a variety of ways in order to deliver the most effective training possible. We try to keep training light but impactful so as not to alienate our employees and to encourage and grow any enthusiasm they may have for the subject matter.

If you are passionate about cybersecurity and would like to join an amazing team, please take a look at our open roles.

Share