Security is everyone’s job at Concord Technologies
Whether its winning awards or its customers’ trust, cybersecurity at Concord Technologies is foundational to its success of managing high volumes of documents.
Located in Seattle, Washington, Concord Technologies helps healthcare organizations and other highly-regulated industries automate their manual and document-intensive processes. It’s no small wonder a company that delivers more than a billion healthcare documents every year has security front of mind.
Lzbeth Malig, Director of Infosec and Compliance at Concord, leverages the company’s employee security awareness and anti-phishing program to keep Concord employees and their network of vendors more than a step ahead of cybercrime. We sat down with Lzbeth to learn how her award-winning program helped the company create a culture of security — and avoid all malware infections — since deploying the training.
Managing a security awareness and training program isn’t easy. Do you manage your program on your own?
Lzbeth: It’s something I manage myself. I set it up initially and it just goes by itself, so we don’t need a lot of resources to manage the program.
We have about 150 geographically dispersed employees at Concord. Training has become much more effective and efficient because phishing training in Infosec IQ is already adapted for employees in different locations and regions.
How often do you run phishing simulation campaigns?
Lzbeth: It’s ongoing. And I like to use random simulations so employees see and experience a wide range of phishing attacks. It helps us all stay sharp.
In the early stages of running your program, you discovered something interesting about your workforce. Tell me about that.
Lzbeth: I ran a baseline campaign to establish phishing vulnerability across the organization. It wasn’t a big surprise for me because I’ve come across this at other organizations, but I found that every employee — regardless of their role or level of technical expertise — was susceptible to phishing. It was definitely a surprise to some of the technical teams. They really thought they had all the security training they ever needed.
But nobody took it as a bad thing. Everyone understands they need to stay sharp and always vigilant on the cybersecurity front. So those few who needed a refresh rolled up their sleeves and really dug into the training. All of them are now glad they did.
Have there been any other unexpected benefits from the program?
Lzbeth: One of the main benefits is that we now receive way more phishing reports from our workforce. Before we deployed PhishNotify™, employees would forget to send emails, delete the email or send it to the wrong department. So the reporting was not very reliable.
But once we added the PhishNotify button, we received very reliable and consistent reports from people both technical and not technical at all. We now have finance, accounting and even sales representatives using the reporting button a lot.
Have you noticed any reductions in security incidents since starting the training?
Lzbeth: Oh yes. We have not had any malware infections.
Why did you choose to extend training to your vendor network?
Lzbeth: We provide training not only to our internal employees but also to some of our vendors and individual partners that lack the time or resources for a comprehensive training program. And we do this at no cost.
We developed a vendor security program where vendors either sign off if they already have security training, or they go through PowerPoint materials that we provided. We decided to take it a step further and opened up our training program for those vendors that wished to join. This is definitely of mutual benefit for both parties.
Instead of relying on contracts, penalties and constant audits, doing the Infosec IQ training provides assurance that vendors are being trained on curriculum that is relevant. It satisfies our security standards and it allows me and our legal counsel to sleep better at night. We know that we are doing our best for not only Concord and our clients, but also helping some of our vendors and individual partners who may not have the resources to concentrate on security training.
How did your vendors respond to the training?
Lzbeth: They responded positively because not only was the training and learning a benefit, it also helped them realize where their awareness strengths and weaknesses were within their workforces.
Since beginning the program, have you noticed any differences in the culture at Concord?
Lzbeth: There are a couple things I’ve seen change. People are more serious now about locking their computers, but in a fun way. If someone leaves their desk and doesn’t lock their computer, people jokingly call them out on it. They are joking, but at the same time it’s recognized as a serious thing. Nobody wants to be laughed at, so everyone locks their computers now.
I’ve seen other improvements, too. Badging in and out of the office is another behavior that people are really aware of now. We don’t see numerous people coming in at the same time under one person’s badge. This wasn’t a problem before, but people are more conscious about it now.
Some of the phishing simulations from Infosec are quite clever and are easy to miss — even for those highly trained on all kinds of phishing. Our focus in not on being punitive, but reinforcing training on the spot — especially when someone makes a phishing training mistake. We now have technical and non-technical individuals asking more questions on phishes and getting more interested in security in general, which further solidifies Concord’s security posture.
Infosec IQ really helped us in achieving what we’re looking to achieve. And the benefits are in the increased awareness and confidence. The training is not intrusive and it’s easy to use.
Infosec Named a Leader in 2019 Gartner Magic Quadrant
Recognized for ability to execute and completeness of vision in Security Awareness Computer-Based Training, learn the latest market trends and what we believe sets Infosec apart.