The challenge: Raising awareness on the scale of a major banking group

For a banking giant like Crédit Agricole, one of the leading European banking groups, cybersecurity awareness is not an option but a regulatory and operational obligation. With thousands of employees spread across regional banks and specialised subsidiaries, the Group Cybersecurity Directorate (CASA) aimed to revolutionise its awareness strategy for the 2024-2025 annual edition.

[SUGGESTED IMAGE: Dashboard of the platform showing the main KPIs of Crédit Agricole]

The stakes of a group initiative

Scale and diversity challenges

• Massive scope: 10,000+ employees to raise awareness

• Entity heterogeneity: Regional banks, business subsidiaries, support functions

• Variable maturity levels: from complete novices to cyber-savvy professionals

• Geographic coverage: national presence with local specifics

Organisational requirements

• Strong communication dimension: the initiative must be visible, driven by management

• Clear KPIs: need for clear indicators for steering and reporting

• Short time-to-market: launch in less than 2 months

• Distinctive approach: move away from repetitive classic formats

Regulatory and business constraints

• Compliance with NIS2, DORA, and banking sector directives

• Obligations for regular employee training

• Traceability and auditability of awareness actions

• Covering priority themes (fraud, phishing, passwords, GDPR)

🏦 BANKING CONTEXT

In the banking sector, cybersecurity is a matter of reputation, compliance, and business continuity. Every employee handles sensitive data and may be the target of sophisticated attacks (business email compromise, targeted phishing, social engineering). Awareness is not a "nice to have" but a pillar of the defence strategy.

The solution: A tailored SaaS awareness platform

Brain Security has deployed its tailored SaaS awareness platform to meet the needs of the Crédit Agricole Group. A cloud-based, scalable solution that reaches all entities simultaneously with centralised governance.

[SUGGESTED IMAGE: Screenshots of the user interface with personalised CA journeys]

Platform architecture

Customised journeys aligned with Group priorities

• Calibrated themes: phishing, ransomware, transfer fraud, GDPR, passwords, deepfakes

• Difficulty levels: beginner, intermediate, expert journeys

• Business contextualisation: questions tailored to banking realities (transfers, vaults, customer data)

• Continuous updates: regular new content based on threat news

Competitions spread over the period

• Regular rhythm: weekly or fortnightly competition launches

• Real-time rankings: motivation through collective emulation

• Collective momentum: orchestrated attention peaks, group dynamics

• Rewards: podiums, certifications, internal recognition

Integrated communication kit

• Automated save-the-dates before each competition

• Scheduled reminders to maximise participation

• Post-event summaries with statistics and podiums

• Customisable templates in the Group's colours and tones

Centralised steering and reporting

• Real-time dashboard: instant view of participation by entity

• CSV exports for in-depth analyses (participation, scores, progression)

• Impact summaries: reporting documents for the Executive Committee and cyber committees

• Flexible granularity: drill-down from Group to entity, even team level

Time-to-Launch: from 0 to 10,000 in 2 months

Weeks 1-2: Scoping & customisation

• Scoping workshop with CASA: objectives, targets, priority themes

• Platform customisation (branding, content, tone)

• Definition of competition calendar and success KPIs

Weeks 3-4: Journey & competition configuration

• Configuration of thematic journeys and difficulty levels

• Setup of competition mechanics (scoring, rankings, durations)

• Technical tests and briefing with the pilot team

Weeks 5-6: Pre-launch communication

• Validation of the communication kit with internal Com’ teams

• Preparation of local relays (cyber leads in the Banks and subsidiaries)

• Teasing campaign for future participants

Week 7: Go-live

• Platform opened to the entire scope

• Launch of the first Group competition

• Continuous user support and animation

📊 GROUP RESULTS

• 10,000+ users engaged on the platform

• 100,000+ competition rounds played

• 100% of entities reached (Regional banks + subsidiaries)

• The most striking campaign according to Catherine Fourquier, Head of Cyber Awareness at CASA

The results: A transformation of the Group's cyber culture

Exceptional quantitative performance

The figures speak for themselves:

• 10,000+ engaged employees: unprecedented participation rate for an awareness initiative

• 100,000+ rounds played: demonstration of ongoing engagement, not a one-off

• Total coverage: 100% of Banks and subsidiaries reached, full coverage objective achieved

• High completion rate: the majority of participants complete the journeys

[SUGGESTED IMAGE: Infographic showing geographical distribution and participation evolution over time]

Qualitative and cultural impact

For employees

• Engaging experience: fun format that differs from traditional training

• Progressive learning: opportunity to replay, progress at one's own pace

• Motivating competition: rankings create stimulation without stress

• Recognition: promotion of the best through podiums and internal communications

For local entities (Banks, subsidiaries)

• Simplicity of adoption: no local logistics, everything managed by the Group

• Visibility of engagement: participation stats usable locally

• Creation of relays: emergence of local cyber champions

• Team cohesion: competitions create shared moments

For the Group Cyber Directorate (CASA)

• Strategic visibility: the initiative becomes the reference for the awareness policy

• Objective data: clear KPIs for steering and arbitration

• Facilitated communication: concrete support for dialogue with Executive Committees and businesses

• Proven scalability: ability to orchestrate a massive initiative successfully

Testimonial from the Head of Cyber Awareness

"The most striking awareness campaign we've conducted at CASA."

— Catherine Fourquier, Head of Cyber Awareness, Crédit Agricole

This testimonial underlines the distinctive impact of Brain Security's approach:

• Breakaway from traditional formats seen as constraining

• Measurable engagement, exceeding previous campaigns

• Collective dynamic created on a Group scale

• Tangible ROI in terms of participation and memorisation

[SUGGESTED IMAGE: Quote from Catherine Fourquier in testimonial format with photo]

🎯 INSIGHT FOR CISOs

"To raise awareness on a large scale, technology alone is not enough. You must combine a robust platform, an ambitious communication strategy, and an educational approach that prioritises engagement over obligation. CA's success shows that mass mobilisation is possible with the right levers."

Why this SaaS approach works on a large scale

Key success factors

1. Native scalability The cloud platform supports 10,000+ simultaneous users effortlessly. No bottleneck, no performance degradation.

2. Configuration flexibility Each entity can have its specific journeys while participating in Group competitions. The setup addresses heterogeneity without fragmenting the initiative.

3. Centralised management The Group Directorate retains control over strategy, content, calendars, while giving autonomy to local entities. Balance between central governance and decentralised execution.

4. Orchestrated communication The integrated communication kit transforms the CASA team into a ‘conductor’ able to punctuate the year with planned highlights.

5. Actionable data Exports and dashboards are not just vanity metrics but management tools identifying gaps, success stories, areas for improvement.

[SUGGESTED IMAGE: Architecture diagram showing centralised governance and distributed execution]

Sectoral applicability

The SaaS awareness model adapts to all sectors needing multi-entity orchestration:

Banking and insurance sector

• Banking groups with branch networks

• Insurance companies with business subsidiaries

• International financial institutions

Industry and energy

• Multi-site industrial groups

• Energy providers with production and distribution networks

• Conglomerates with diversified subsidiaries

Retail and distribution

• Retail chains with store networks

• E-commerce groups with logistics warehouses

• Franchises needing homogenisation

Public and semi-public services

• Decentralised administrations

• Operators of essential services

• Public organisations in networks

Extending impact and evolving the system

Next steps for Crédit Agricole

Geographic and business sector extension

• Deployment in the Group's international subsidiaries

• Adapting content to local regulatory specifics

• Creation of highly specialised journeys by role (trader, advisor, risk manager)

New priority themes

• Deepfakes: major issue for identity verification and fraud detection

• Payment fraud: increasingly sophisticated scenarios

• AI and emerging risks: awareness of new attack vectors

• Resilience: cyber crisis management, business continuity

Recurring competition cadence

• From annual campaign to permanent cadence (monthly competitions)

• Creation of thematic "seasons" (S1 = phishing, S2 = ransomware, etc.)

• Organisation of inter-Bank championships with a national final

• Integration into the onboarding pathways of new employees

Integration into the cyber ecosystem

• Correlation with simulated phishing campaigns (crossed results)

• Link with formal cyber training (certifications, MOOC)

• Feeding the individual training plan based on results

• Identification of high potentials for ambassador programs

Platform evolution

Advanced personalisation

• Adaptive AI adjusting difficulty to each user's level

• Pathway recommendations based on history and job profile

• Automatic content generation based on threat news

Third-party integrations

• SSO with Active Directory / Azure AD for simplified access

• Exports to corporate LMS for centralised training

• APIs for integration into CISO management tools (SIEM, GRC)

Enhanced gamification

• System of badges and achievements

• Progression pathways with unlocked levels

• Collaborative challenges (inter-service teams)

• Tangible rewards (recognised certifications, awards)

[SUGGESTED IMAGE: Product roadmap showing planned developments over 12-24 months]

💡 STRATEGIC ADVICE

The success of a massive awareness initiative rests on three pillars: (1) technology that handles the load without friction, (2) a communication strategy as developed as the product itself, (3) a pedagogical approach that favours voluntary engagement over enforced obligation. Crédit Agricole exemplifies this successful triangulation.

Measuring the ROI of a large-scale awareness initiative

Quantifiable success metrics

Engagement metrics

• Participation rate (% of target workforce having played at least once)

• Number of games per user (addiction / recurrence indicator)

• Average session duration (sign of sustained attention)

• Completion rate of journeys (completion vs abandonment)

Learning metrics

• Average score progression (demonstration of learning)

• Success rate by theme (identification of gaps)

• Comparison before/after real phishing campaign (correlation)

• Average resolution time (decision-making speed)

Organisational metrics

• Coverage by entity (homogeneity of deployment)

• Participation rate by hierarchical level (manager buy-in)

• Geographical distribution (central/regions balance)

• Cost per sensitised employee (efficiency)

Cyber impact metrics

• Decrease in click rate on simulated phishing (before/after awareness)

• Number of phishing attempt reports (increased vigilance)

• Incident detection time (improved responsiveness)

• Regulatory compliance (proof of awareness for audits)

[SUGGESTED IMAGE: Reporting dashboard showing main KPIs with period comparison]

Return on investment

Simplified ROI calculation

Investment:

• SaaS platform licence

• Configuration time (internal + Brain)

• Communication and animation

• = X € over 12 months

Tangible gains:

• Reduction in cyber risk (estimated via probabilistic models)

• Avoidance of traditional training costs (bought e-learning, in-person sessions)

• IT time savings (automation vs manual handling)

• Regulatory compliance (avoidance of penalties)

• = Y € over 12 months

ROI = (Y - X) / X

For Crédit Agricole, with 10,000+ users and 100,000+ games, the ROI is significantly positive in the first year, notably due to:

• The measurable reduction in click rate on simulated phishing

• Cost savings on external training that would have cost several hundred euros per employee

• Proven compliance with NIS2/DORA requirements

• Valuation with the regulator and clients (trust)

Want to deploy a similar solution?

The Brain Security SaaS platform adapts to organisations of all sizes, from SMEs to multinationals. Short time-to-market, native scalability, advanced reporting.

Next steps:

• Start a pilot → brainsecurity.io/contact

• See a 15-minute demo → brainsecurity.io/demo

• Download the full case study → brainsecurity.io/case-credit-agricole

• Talk to our team to assess fit for your context