Culture is key: How a healthcare services provider dropped its phishing susceptibility rate by 80%
- Client: Healthcare services provider
- Organization size: 1,200 employees
- Capabilities used: PhishSim, AwareEd
- Results: Implemented the organization’s first security awareness and training program and reduced employee phishing susceptibility rate from 54% to 10%
Hospital Central Services, Inc. & Affiliates (HCSC) operates multiple for- and non-profit divisions providing services for hospitals, emergency care centers and healthcare providers. HCSC’s Senior IT Director David Camardella identified the need for employee cybersecurity training and launched the organization’s first security awareness and training program.
In this Q&A, we asked David to share the methods and strategies he used to drop employee phishing susceptibility at HCSC to just 10%.
Why did you start your security awareness and training program?
David: Security awareness has always been a challenge here. We’ve noticed an increase in phishing and needed a way to provide continuous education to our end users and internal customers. Our phish rate was around 54% during a pilot run. We’ve made several investments over the last couple years with respect to hardening our endpoints and increasing our web filtering. These tools have helped, but the missing piece was employee training. That’s why we kicked off a company wide security awareness program.
Did the decision to run a security awareness program come from the executive team, IT department or from someone else?
David: The idea came from within the IT team. We were getting a lot of questions from our customers asking if emails were legitimate or scams. We even had some near-misses that we caught just in time. We realized there was a need for additional education around these topics.
We can buy the best technology in the world and use the best firewalls and filters, but we’re never going to be 100% secure. Our employees will always represent some level of risk so we need to invest in continuously educating them. We provided examples to the executive team and demonstrated the risk to the organization as a means to secure a budget for security awareness and training.
What were you looking for in a security awareness and training tool?
David: Doing face-to-face training is difficult and time consuming. We have a lot of projects running at any given time with only about 11 people in IT supporting 10 physical locations throughout the Pennsylvania, New Jersey and Maryland areas. We’re spread pretty thin.
I wanted a tool with automation capabilities. I tried out Infosec IQ and saw immediate value. I needed something that required little time investment. Once you set up the product, it’s virtually hands off. If employees make a mistake and click on something, they are immediately educated on what they did wrong and how they can avoid the same mistake in the future.
How do you manage your learners within Infosec IQ?
David: I set up the Active Directory sync to pull in my active user accounts. This is great because if you remove users from Active Directory, the learner profile is also updated.
How did you roll out your security awareness and training program?
David: I rolled out three or four campaigns and saw progress immediately. After every campaign, our phish rate was almost cut in half. Within a year we got our phish rate down from 54% to 10%. I used a lot of the pre-built phishing templates, but I also customized several templates to be more relevant for employees. I try to create a templates that our employees are more likely to click on. It has been very effective.
How do you use campaign analytics and data?
David: I present reports to stakeholders to share progress and gather feedback. I typically run a report showing the phish rate and compliance score for training as well as a trend line that shows employee progress and improvement over time.
Do employees like the training content?
David: They like the content and the style. It turned security into a talking point around the office. We kept hearing, “Hey, are you guys phishing me again?” We would even hear employees joking about avoiding phishing simulations. It’s working and we have definitely seen an improvement in awareness and culture.
What advice would you give to someone exploring solutions or deciding whether or not to launch their first security awareness program?
David: To be effective, know your population base. Understand your employees’ and your organization’s willingness and openness to training. Then you can cater your training to them. It’s also important to know the types of communications coming in and going out of your organization every day. For example, if you don’t use FedEx, don’t send FedEx simulations. You can use your existing business processes and relationships to tailor your phishing simulations and provide the most effective training.
Would you recommend Infosec IQ to your peers?
David: Absolutely. The main benefit is the ease of use. As the person responsible for configuring the account and building training campaigns, there’s not a whole lot of work involved.