How Snow College created a culture of security using Infosec IQ

With an IT and security background in the financial services industry, Paul brought a business mindset to Snow College.

“I was hired to do many things, but view security awareness and training as one of my key roles here,” said Paul. “We spend money on firewalls and protective hardware, but it only takes one click from a non-aware staff and faculty member to possibly circumvent our security infrastructure efforts.”

Despite obvious security risks at the employee level, some security practitioners still find it hard to justify running a security awareness program. To Paul, security awareness and training shouldn’t be viewed as an add-on expense, but rather a vital layer of your security strategy.

“One breach caused by one staff or faculty member can costs exponentially more than the small investment required to train up your people,” explained Paul. “Companies invest heavily to build a good brand, which can quickly be torn down by one security breach. If you talk about it that way, then security awareness and training becomes a no-brainer.”

Building a cyber-aware staff and faculty starts with a commitment to security awareness, but implementing an effective security awareness program takes more than just goal setting. It takes commitment from every member of the organization. For Paul, this starts at the top.

“I learned that in business, you can want it all you want, but unless upper management supports your efforts, employees are going to find ways around your training,” said Paul. “I actually write up what I want the senior leadership to send out to their employees.”

By enlisting the leadership team and having them directly endorse his security efforts, Paul is getting more than top-down approval. He’s also getting a tool to help emphasize the importance of his security efforts and a mechanism to spread awareness to each individual employee.

Paul uses Infosec IQ to deliver security awareness training and run phishing simulations for approximately 500 employees at Snow College. With the help of Infosec IQ, Snow College has cut its phishing rate in half.

“I get a lot of emails that I never received before the training. People ask me, “Is this a phish? Is this a phish? How do I recognize a phish?” I mean I get literally 10 to 20 a week, which means people are waking up to the risks of their email and how to protect their passwords,” said Paul.

Paul also uses dynamic learner groups to move employees to specific groups based on their performance in his phishing simulations. This gives him the opportunity to distribute additional training to his most risk-prone staff and faculty.

“I think it’s fun and people say they think it’s fun. That is, until they click on a link, get hooked and the system tells them they’ve fallen for a phishing email,” said Paul.

Even with a background in a heavily regulated banking industry, Paul believes security awareness should be built into the culture of an organization rather than driven by compliance.

“It’s not really a checkbox for me. Security awareness is a way of life,” said Paul. “It’s a culture that I’m trying to develop here, and I think I’ve been successful with help from tool sets like Infosec IQ.”