How Snow College Created a Culture of Security Awareness Using Infosec IQ
Snow College is a state college located in Ephraim, Utah. Like all higher education institutions, Snow College faces security challenges related to student data, financial information and personal records. To protect the data privacy of its students, staff and faculty, Snow College deployed security awareness training to teach faculty and staff how to detect, avoid and report security threats facing the school.
Snow College’s Information Security Officer Paul Tew spoke with us about his security awareness philosophy and how Infosec IQ has helped cut Snow College’s phish rate in half.
The True Costs of Security Risk and Awareness Training
With an IT and security background in the financial services industry, Paul brought a business mindset to Snow College.
“I was hired to do many things, but view security awareness and training as one of my key roles here,” said Paul. “We spend money on firewalls and protective hardware, but it only takes one click from a non-aware staff and faculty member to possibly circumvent our security infrastructure efforts.”
Despite obvious security risks at the employee level, some security practitioners still find it hard to justify running a security awareness program. To Paul, security awareness and training shouldn’t be viewed as an add-on expense, but rather a vital layer of your security strategy.
“One breach caused by one staff or faculty member can costs exponentially more than the small investment required to train up your people,” explained Paul. “Companies invest heavily to build a good brand, which can quickly be torn down by one security breach. If you talk about it that way, then security awareness and training becomes a no-brainer.”
Beyond Endorsement: Leveraging Board-Level Buy-in for Engagement
Building a cyber-aware staff and faculty starts with a commitment to security awareness, but implementing an effective security awareness program takes more than just goal setting. It takes commitment from every member of the organization. For Paul, this starts at the top.
“I learned that in business, you can want it all you want, but unless upper management supports your efforts, employees are going to find ways around your training,” said Paul. “I actually write up what I want the senior leadership to send out to their employees.”
By enlisting the leadership team and having them directly endorse his security efforts, Paul is getting more than top-down approval. He’s also getting a tool to help emphasize the importance of his security efforts and a mechanism to spread awareness to each individual employee.
Driving a Security Culture Shift to Inspire Behavioral Change
Paul uses Infosec IQ to deliver security awareness training and run phishing simulations for approximately 500 employees at Snow College. With the help of Infosec IQ, Snow College has cut its phishing rate in half.
“I get a lot of emails that I never received before the training. People ask me, “Is this a phish? Is this a phish? How do I recognize a phish?” I mean I get literally 10 to 20 a week, which means people are waking up to the risks of their email and how to protect their passwords,” said Paul.
Paul also uses dynamic learner groups to move employees to specific groups based on their performance in his phishing simulations. This gives him the opportunity to distribute additional training to his most risk-prone staff and faculty.
“I think it’s fun and people say they think it’s fun. That is, until they click on a link, get hooked and the system tells them they’ve fallen for a phishing email,” said Paul.
Even with a background in a heavily regulated banking industry, Paul believes security awareness should be built into the culture of an organization rather than driven by compliance.
“It’s not really a checkbox for me. Security awareness is a way of life,” said Paul. “It’s a culture that I’m trying to develop here, and I think I’ve been successful with help from tool sets like Infosec IQ.”