The Challenge: Raising Awareness on a Major Banking Group Scale

For a banking giant like Crédit Agricole, one of Europe's leading banking groups, cybersecurity awareness isn't optional; it's a regulatory and operational necessity. With thousands of employees spread across regional banks and specialised subsidiaries, the Group Cybersecurity Directorate (CASA) was looking to revolutionise its awareness approach for the 2024-2025 annual edition.

The Stakes of a Group-Wide Initiative

Challenges of Scale and Diversity

• Vast Scope: Over 10,000 employees to be sensitised

• Diversity of Entities: Regional banks, specialised subsidiaries, support functions

• Variable Maturity Levels: From complete novices to skilled cyber professionals

• Geographical Coverage: National presence with local specifics

Organisational Requirements

• Strong Communication Dimension: The initiative must be visible and championed by leadership

• Clear KPIs: Need for readable indicators for management and reporting

• Short Time-to-Market: Launch in less than 2 months

• Differentiating Approach: Breaking away from tired, classic formats

Regulatory and Business Constraints

• Compliance with NIS2, DORA, and sectoral banking directives

• Regular training obligations for employees

• Traceability and auditability of awareness actions

• Coverage of priority themes (fraud, phishing, passwords, GDPR)

🏦 BANKING CONTEXT

In the banking sector, cybersecurity is a matter of reputation, compliance, and business continuity. Every employee handles sensitive data and might be targeted by sophisticated attacks (CEO fraud, targeted phishing, social engineering). Awareness isn't a "nice to have" but a cornerstone of defence strategy.

The Solution: A Bespoke SaaS Awareness Platform

Brain Security deployed its customised SaaS awareness platform specifically for Crédit Agricole Group's needs. A cloud solution that's scalable, enabling simultaneous engagement across all entities with centralised governance.

Platform Architecture

Customised Journey Aligned with Group Priorities

• Calibrated Themes: Phishing, ransomware, wire fraud, GDPR, passwords, deepfakes

• Difficulty Levels: Beginner, intermediate, expert journeys

• Business Contextualisation: Questions tailored to banking realities (transactions, vaults, customer data)

• Continuous Updates: Regular new content based on threat news

Competitions Over the Period

• Regular Rhythm: Weekly or fortnightly competition launches

• Real-Time Rankings: Motivating collective emulation

• Collective Momentum: Orchestrated peaks of attention, group dynamics

• Rewards: Podiums, certifications, internal recognition

Integrated Communication Kit

• Automatic Save-the-Dates before each competition

• Scheduled Reminders to maximise participation

• Post-Event Recaps with statistics and podiums

• Customisable Templates in the Group's colours and tones

Centralised Management and Reporting

• Real-Time Dashboard: Instant view of participation by entity

• CSV Exports for in-depth analyses (participation, scores, progress)

• Impact Summaries: Reporting documents for EXCOM and cyber committees

• Flexible Granularity: Drill-down from the Group to entity and even team level

Time-to-Launch: From 0 to 10,000 in 2 Months

Weeks 1-2: Scoping & Customisation

• Scoping workshop with CASA: Objectives, targets, priority themes

• Platform customisation (branding, content, tone)

• Definition of the competition schedule and success KPIs

Weeks 3-4: Journey & Competition Setup

• Theme journeys and difficulty level settings

• Competition mechanics configuration (scoring, rankings, durations)

• Technical tests and trial with pilot team

Weeks 5-6: Pre-Launch Communication

• Validation of the communication kit with internal comms teams

• Preparation of local relays (cyber contacts in banks and subsidiaries)

• Teaser campaign for future participants

Week 7: Go-live

• Platform opened to all entities

• Launch of the first Group competition

• User support and ongoing engagement

📊 GROUP RESULTS

• 10,000+ users engaged on the platform

• 100,000+ competition matches played

• 100% of entities reached (regional banks + subsidiaries)

• Most memorable campaign according to Catherine Fourquier, Head of Cyber Awareness at CASA

The Results: A Transformation of the Group's Cyber Culture

Exceptional Quantitative Performance

The figures speak for themselves:

• 10,000+ engaged collaborators: Unprecedented participation rate for an awareness initiative

• 100,000+ matches played: Demonstrating repeated engagement, not a one-off

• Total Coverage: 100% of banks and subsidiaries reached, objective of comprehensiveness achieved

• High Completion Rate: Most participants complete the journeys

  
  

Qualitative and Cultural Impact

For Employees

• Engaging Experience: A fun format that changes from traditional training

• Progressive Learning: Ability to replay, progress at one's own pace

• Motivating Competition: Rankings create emulation without stress

• Recognition: Valuation of the top performers through podiums and internal communications

For Local Entities (Banks, Subsidiaries)

• Ease of Adoption: No local logistics, everything managed by the Group

• Visibility of Engagement: Participation statistics usable locally

• Creation of Relays: Emergence of cyber champions at the local level

• Team Cohesion: Competitions create sharing moments

For the Group Cyber Directorate (CASA)

• Strategic Visibility: The initiative becomes a reference for awareness policy

• Objective Data: Clear KPIs for management and decisions

• Facilitated Communication: Concrete support for dialogue with EXCOM and business units

• Proven Scalability: Ability to successfully orchestrate a massive initiative

Testimony from the Head of Cyber Awareness

"The most memorable awareness campaign we have conducted at CASA."

— Catherine Fourquier, Head of Cyber Awareness, Crédit Agricole

This testimony highlights the distinctive impact of Brain Security's approach:

• Break from traditional formats seen as merely obligatory

• Measurable and superior engagement compared to previous campaigns

• Collective dynamics created at the Group level

• Tangible ROI in terms of participation and memorisation

  
  

🎯 LESSON FOR CISOs

"To scale awareness, technology alone is not enough. You need to combine a robust platform, ambitious communication strategy, and a pedagogical approach that favours engagement over obligation. CA's success shows that massive mobilisation is achievable with the right levers."

Why this SaaS Approach Works at Scale

Key Success Factors

1. Native Scalability The cloud platform confidently supports 10,000+ simultaneous users. No bottlenecks, no performance degradation.

2. Configurability Flexibility Each entity can have its specific journeys while participating in Group competitions. The setting allows for addressing diversity without fragmenting the initiative.

3. Centralised Management The Group Directorate maintains control over strategy, content, schedules, while giving autonomy to local entities. Balance of central governance / decentralised execution.

4. Orchestrated Communication The integrated communication kit turns the CASA team into a "conductor" able to rhythm the year with planned highlights.

5. Actionable Data Exports and dashboards are not mere vanity metrics but management tools for identifying gaps, success stories, areas for improvement.

Sectoral Applicability

The SaaS awareness model adapts to all sectors with the need for multi-entity orchestration:

Banking and Insurance Sector

• Banking groups with agency networks

• Insurance companies with business subsidiaries

• International financial institutions

Industry and Energy

• Multi-site industrial groups

• Energy providers with production and distribution networks

• Conglomerates with diversified subsidiaries

Retail and Distribution

• Retail chains with store networks

• E-commerce groups with logistics warehouses

• Franchises needing homogenisation

Public and Parapublic Services

• Decentralised administrations

• Essential service operators

• Networked public establishments

Sustaining Impact and Evolving the System

Next Steps for Crédit Agricole

Geographical and Business Extension

• Deployment in the Group's international subsidiaries

• Adaptation of content to local regulatory specifics

• Creation of highly specialised journeys by profession (trader, advisor, risk manager)

New Priority Themes

• Deepfakes: Major concern for identity verification and fraud detection

• Payment Fraud: Increasingly sophisticated scenarios

• AI and Emerging Risks: Awareness of new attack vectors

• Resilience: Cyber crisis management, business continuity

Recurring Competition Cadence

• Transition from annual campaigns to a permanent (monthly competitions) rhythm

• Creation of thematic "seasons" (S1 = phishing, S2 = ransomware, etc.)

• Organisation of inter-bank championships with national finals

• Integration into onboarding journeys for new employees

Integration in the Cyber Ecosystem

• Correlation with simulated phishing campaigns (cross results)

• Link with formal cyber training (certifications, MOOCs)

• Feeding individual training plans according to results

• Identification of high potentials for ambassador programmes

Platform Evolutions

Advanced Personalisation

• Adaptive AI adjusting difficulty according to user's level

• Path recommendations based on history and business profile

• Automatic content generation according to threat news

Third-Party Integrations

• SSO with Active Directory / Azure AD simplifying access

• Exports to corporate LMS for centralised training

• APIs for integration in CISO management tools (SIEM, GRC)

Enhanced Gamification

• Badge and achievement system

• Progression paths with unlocked levels

• Collaborative challenges (inter-department teams)

• Tangible rewards (recognised certifications, allocations)

  
  

💡 STRATEGIC ADVICE

The success of a massive awareness initiative rests on 3 pillars: (1) technology that handles load without friction, (2) a communication strategy as developed as the product itself, (3) a pedagogical approach that favours voluntary engagement over forced obligation. Crédit Agricole illustrates this successful triangulation.

Measuring the ROI of a Large-Scale Awareness Initiative

Quantifiable Success Indicators

Engagement Metrics

• Participation rate (% of the target population who have played at least once)

• Number of matches per user (indicator of addiction / recurrence)

• Average session duration (sign of sustained attention)

• Journey completion rate (completion vs abandonment)

Learning Metrics

• Average score progression (demonstration of learning)

• Success rate per theme (gap identification)

• Comparison before/after real phishing campaign (correlation)

• Average resolution time (decision-making speed)

Organisational Metrics

• Coverage by entity (deployment consistency)

• Participation rate by hierarchical level (manager buy-in)

• Geographical distribution (central/regional balance)

• Cost per sensitised collaborator (efficiency)

Cyber Impact Metrics

• Change in click rate on simulated phishing (before/after awareness)

• Number of phishing attempt reports (heightened vigilance)

• Incident detection time (improved responsiveness)

• Regulatory compliance (proof of awareness for audits)

  
  

Return on Investment

Simplified ROI Calculation

Investment :

• SaaS platform licence

• Configuration time (internal + Brain)

• Communication and animation

• = X € over 12 months

Tangible Gains :

• Cyber risk reduction (estimate via probabilistic models)

• Avoidance of traditional training costs (purchased e-learning, in-person sessions)

• IT time savings (automation vs manual management)

• Regulatory compliance (avoidance of penalties)

• = Y € over 12 months

ROI = (Y - X) / X

For Crédit Agricole, with 10,000+ users and 100,000+ matches, the ROI is largely positive from the first year, notably thanks to:

• The measurable reduction in click rate on simulated phishing

• The savings on external training that would have cost several hundred euros per collaborator

• The proven compliance with NIS2/DORA requirements

• The valuation with regulators and clients (trust)

Want to Deploy a Similar Solution?

The Brain Security SaaS platform adapts to organisations of all sizes, from SMEs to multinationals. Short time-to-market, native scalability, advanced reporting.

Next Steps:

• See a 15-minute demo → brainsecurity.io/demo

• Download the complete case study → brainsecurity.io/case-credit-agricole

• Speak with our team to assess suitability for your context