Scalable awareness training: How Amway uses Infosec IQ to train 18,000 global learners
Based in Ada, Michigan, Amway is a family-owned, $8.8 billion direct selling company that operates in more than 100 countries and territories. With more than 15,000 employees and 780 patents, it’s easy to see why an effective cybersecurity strategy is critical to Amway’s continued success.
Amway’s purpose is to help people to live better, healthier lives. That purpose, according to Information Security Specialist Dan Teitsma, includes keeping Amway employees’, contractors’ and clients’ data safe from malicious actors. We sat down with Dan to learn how the company uses Infosec IQ awareness and training to keep employees vigilant about cybersecurity threats and the data at Amway secure.
Building a scalable awareness and training program with Infosec IQ
After spending more than three decades in project-management related roles in customer service, finance, marketing and product development areas at Amway, Dan joined the cybersecurity team three years ago as an Information Security Specialist and Program Manager. Dan knew a strong cybersecurity strategy was critical to maintaining client trust and welcomed the opportunity to help the company keep its data and reputation secure.
“If you go back 10 years and look at major headlines affecting our industry, it’s easy to see how big of an impact cybersecurity can have on business success,” said Dan. “Especially in terms of public relations and company reputation. Following sound cybersecurity practices is critical, and I wanted to be a part of that effort.”
Within the last five years, the Amway cybersecurity team has grown from a few employees to a global team of approximately 50 individuals. Over the last two years, Dan has been working with his cybersecurity colleagues to revamp Amway’s security awareness and training program.
“Amway’s employee training program has really evolved and grown over the past five years,” said Dan. “We did some in-person training and supplemented it with training from our internal learning management system, but we needed a resource to help us scale and mature the program over time.”
After evaluating other vendors, Dan and his team selected Infosec IQ as their awareness and training platform and launched their first global training campaign to approximately 18,000 learners in 2019.
“We wanted to significantly raise the bar in terms of employee security awareness and make sure all employees were doing everything in their power to help protect our company from security threats,” said Dan. “Leveraging a tool like Infosec IQ to reach all our employees and contractors worldwide was a big step for us.”
Using automation, quality content to boost employee awareness
While evaluating security awareness and training solutions, Dan and his team knew they needed a solution that could deliver the right training to the right person at the right time — while also scaling to the regional needs of their global workforce.
“Automation was really important to us,” said Dan. “We selected Infosec IQ because of the overall functionality of the platform. We can design courses to our specifications and schedule training campaigns to run automatically — including sending learner notifications, tracking training progress and reporting important metrics to stakeholders.”
In addition to automating delivery of a global program, Dan wanted a solution that delivered quality content localized to Amway employees in whatever country they may work. “The content itself was really important,” said Dan. “We needed to cover all the important security topics, while also delivering that information in a way that was easy to retain. Our goal is to both educate employees and influence their behavior.”
18,000 learners, 90% training completion rate
Amway’s first employee awareness campaign was a success. “We delivered our first Infosec IQ campaign to more than 18,000 learners,” said Dan. “About 90% of Amway employees completed the training and the response to the content was positive. We’ve seen a positive trend as far as what people feel about the training, the topics that are being covered and how we’re delivering the training. We’re trending in a positive way.”
Dan and his team also use offline training resources like posters to supplement computer-based training from Infosec IQ and ensure important security lessons stick. “Employee awareness training has many facets” said Dan. “If you’re really going to increase awareness and motivate behavior change, you need to deliver content in different ways. It’s important to reinforce your messaging and keep awareness content in front of your employees.”
“If you said to me, ‘You have to do either the facilitator-led training or the computer-based training, but you can’t do both,’ I would say, ‘We need to continue computer-based training.’ It’s more scalable, and that’s important at large organizations like ours.”
Using qualitative and quantitative metrics to drive behavior change
Dan uses a combination of qualitative and quantitative metrics to track training impact over time. He gathers this data from employee surveys, focus groups and the Infosec IQ platform.
“We’ve significantly increased awareness and have different metrics to measure that,” said Dan. “Part of it is how people are performing on phishing tests. Part of it is based on surveys. We also look at the feedback we get from Infosec IQ training modules and Amway’s facilitator-led training.”
Dan’s team uses surveys to help tailor training delivery to the ways his employees like to learn, as well as to evaluate the overall effectiveness of the program’s content. “We ask employees for feedback on things they like about the training and things they didn’t like about the training,” said Dan. “We also ask about the content itself — if it was relevant to them, or how important they felt the information was to them personally and professionally.”
Dan plans to use focus groups in the future to further evaluate the effectiveness of his awareness program and make sure he’s driving the behavior change needed for long-term cultural change. What Dan is seeing now, however, is promising.
“We’ve reached a point where many people ask when our next training starts and if they can participate in additional training,” said Dan. “We’ve significantly increased awareness overall and are starting to see a shift in culture. Employees understand the importance of information security and are playing a much more active role in keeping our data secure.”
Advice for other program managers: keep it simple
When asked what advice he has for other organizations embarking on their first employee awareness and training initiative, Dan recommends keeping things simple. “Don’t try to do too much all at once,” said Dan. “Prioritize what training topics are most important to your business and select a tool that allows you to effectively deliver that training to the most people possible.”
As for the employee learning experience, Dan again reiterates the need to keep things simple — especially when delivering training for the first time. “Make it easy for employees to participate in the training. Determine what topics and content you think are most critical for your organization to learn about and find ways to make that content as relevant to your employees as possible.”