Culture is key: How a healthcare services provider dropped its phishing susceptibility rate by 80%

David: Security awareness has always been a challenge here. We’ve noticed an increase in phishing and needed a way to provide continuous education to our end users and internal customers. Our phish rate was around 54% during a pilot run. We’ve made several investments over the last couple years with respect to hardening our endpoints and increasing our web filtering. These tools have helped, but the missing piece was employee training. That’s why we kicked off a company wide security awareness program.

David: The idea came from within the IT team. We were getting a lot of questions from our customers asking if emails were legitimate or scams. We even had some near-misses that we caught just in time. We realized there was a need for additional education around these topics.

We can buy the best technology in the world and use the best firewalls and filters, but we’re never going to be 100% secure. Our employees will always represent some level of risk so we need to invest in continuously educating them. We provided examples to the executive team and demonstrated the risk to the organization as a means to secure a budget for security awareness and training.

David: Doing face-to-face training is difficult and time consuming. We have a lot of projects running at any given time with only about 11 people in IT supporting 10 physical locations throughout the Pennsylvania, New Jersey and Maryland areas. We’re spread pretty thin.

I wanted a tool with automation capabilities. I tried out Infosec IQ and saw immediate value. I needed something that required little time investment. Once you set up the product, it’s virtually hands off. If employees make a mistake and click on something, they are immediately educated on what they did wrong and how they can avoid the same mistake in the future.

David: I set up the Active Directory sync to pull in my active user accounts. This is great because if you remove users from Active Directory, the learner profile is also updated.

David: I rolled out three or four campaigns and saw progress immediately. After every campaign, our phish rate was almost cut in half. Within a year we got our phish rate down from 54% to 10%. I used a lot of the pre-built phishing templates, but I also customized several templates to be more relevant for employees. I try to create a templates that our employees are more likely to click on. It has been very effective.

David: I present reports to stakeholders to share progress and gather feedback. I typically run a report showing the phish rate and compliance score for training as well as a trend line that shows employee progress and improvement over time.

David: They like the content and the style. It turned security into a talking point around the office. We kept hearing, “Hey, are you guys phishing me again?” We would even hear employees joking about avoiding phishing simulations. It’s working and we have definitely seen an improvement in awareness and culture.

David: To be effective, know your population base. Understand your employees’ and your organization’s willingness and openness to training. Then you can cater your training to them. It’s also important to know the types of communications coming in and going out of your organization every day. For example, if you don’t use FedEx, don’t send FedEx simulations. You can use your existing business processes and relationships to tailor your phishing simulations and provide the most effective training.