St. Catherine’s Children’s Center, based in Albany, NY, offers a comprehensive range of human services for Capital Region children and families coping with issues of abuse, neglect, mental illness, homelessness, and trauma. In addition to offering extensive services to the homeless and those who are at risk of becoming homeless, St. Catherine’s offers residential services for children ages 5 to 13, therapeutic foster care services, an elementary school for children with special educational needs, and community-based prevention services and programs designed to strengthen vulnerable families. Last year, St. Catherine’s services reached nearly 2,000 children and families in the Capital Region.
If you’re not looking ahead in IT and security, you’re already behind.
Mike Urbanski lives this mantra in his everyday work leading a team of IT professionals responsible for securing the sensitive data of 350 staff and hundreds of children and families at St. Catherine’s Center for Children in Albany, New York.
While much has changed in community centers and security since the onset of the global pandemic and rising cyber attacks on care centers, one thing that remains is Mike’s focus on adopting the latest strategies to stay ahead of cyber threats.
“I was leading security and awareness training before any type of training software or phishing simulator was available. I’m all about being proactive, and needed to be sure we’re putting ourselves ahead of potential problems,” said Mike.
As the Director of Information Technology, Mike leads the charge to help staff and the families they serve to stay safe from threats like phishing and ransomware. With the increasing number of cyberattacks on healthcare and community center systems, he wanted to make sure they had the right tools to stay ahead, said Mike.
To help put the entire Children’s Center on the front foot, he partnered with the Infosec team to implement a full-scale cybersecurity awareness program giving staff the knowledge and tools they need to detect and report possible threats, whether it be at work or at home. While many organizations scaled back on these efforts during the pandemic, Mike’s team scaled them further to mitigate the new risks that emerged.
Today, his team manages the everyday challenges that come with the COVID-19 pandemic including new phishing emails taking advantage of the pandemic like fake vaccine registrations, fraudulent charities and unemployment scams asking people to click links to malicious
By focusing on proactive security awareness and training to help mitigate risk, his team has improved St. Catherine’s Children’s Center’s security posture despite what circumstances come their way.
Rising to the cybersecurity challenges of COVID
In the theme of being proactive, Mike’s team already had the Children’s Center’s infrastructure 90% in the cloud before the pandemic.
“With the onset of COVID-19, it was all about us setting up that other 10% as quickly as possible. We also had to shift our approach and planned a security training schedule to accommodate our new remote staff. We developed a different plan right away to incorporate more training on using offsite devices, using Wi-Fi outside our center and also ramped up our phishing tests,” said Mike.
In addition to these challenges, the system, like many education and healthcare providers, faced new cybersecurity demands related to increased staff turnover and employee onboarding.
We had to make sure that people were up to date when they came on board.
“We had to make sure that people were up to date when they came on board. This meant creating new, special training for short-term staff like interns, and new onboarding training for those less familiar with our organization,” said Mike.
In the first three months of 2022 alone, they’ve already hired 50 new staff. Each new staff member goes through new hire training designed to give them a strong foundation of security awareness and then targeted role-specific training.
“We have so many different departments who handle all different kinds of data and have different types of access – so they all need specialized training. For example, our nurses need specific training for handling health data, we have other teams managing personal and government data that need special training and our executives also get tailored training so they understand threats unique to their role,” said Mike.
When the pandemic picked up, Mike also looked to Infosec for help beyond their platform. “The dedication of the Infosec team and their ability to stay ahead and keep me engaged with new ideas and approaches [was] really important.” Working with Infosec’s customer success team, St. Catherine’s was able to continue putting out new and timely security training for employees.
“Jordan notified me right away about pandemic-related training and emerging threats so I could be on my game and adapt my training. I kept an eye on what was happening with current events as the pandemic progressed so I could modify and roll out relevant training. The regularly updated content from Infosec helped keep my staff engaged despite the difficult landscape, which really helped with buy-in,” said Mike.
The true secret to the team’s ability to quickly overcome these challenges the pandemic threw their way was staying adaptable, being proactive and customizing training and processes. “There’s no one-size-fits-all when it comes to security,” said Mike.
Changing the security culture script
No matter how engaging a security training program is, motivating learners to practice good cyber habits and hygiene continues to be a key challenge.
To help get St. Catherine’s employees engaged at every level of the organization, Mike takes a tailored approach. His team incents program participation and completion with gift cards and prize drawings to complete their training and switches up training video modules to keep things fresh and relevant.
More recently, Mike’s team put learners in the driver’s seat with Infosec’s new Choose Your Own Adventure® Security Awareness Games. The games help employees learn by doing through interactive storylines that foster critical thinking and decision-making for common, but risky, security behaviors like joining unsecured Wi-Fi networks and oversharing on social media.
Not only has the approach increased the number of training completions, but employees regularly mention the training to him and ask security questions.
“Employees tell me all the time they weren’t aware of the cyber threats we’re teaching them about. It’s been amazing to hear how consistent security awareness training has opened their eyes,” said Mike. “I’m a big believer that if you teach people in a way that’s engaging, it helps them at both work and home.”
For employees still having issues detecting phishing simulations, more commonly known as repeat offenders, or avoiding their ongoing training altogether, the St. Catherine’s team has opted for a similar human approach.
I’m a big believer that if you teach people in a way that’s engaging, it helps them at both work and home.
“I like to speak to these people one on one to really understand what’s going on. Sometimes they don’t have access to the proper technology or mechanisms. Our goal isn’t to get them in trouble, but to help them understand the risks instead,” said Mike.
Mike’s team also uses this tailored approach to maintain leadership buy-in and engagement, setting up consistent communication channels to update executive leaders. “We don’t just share the metrics, we also show them the Infosec IQ platform and what we’re doing. I use the reporting feature to build Executive, Phishing and AwareEd dashboards, along with Learner reports showing how we are doing as an agency. We walk through what’s working, where the trends are and what we can do better next time.”
Mike plans to continue his history of being proactive and taking a human-first approach to security. In 2022, he has big plans for expanding his role-based training programs and assessments.
For others building their security awareness and training programs or facing the many security challenges in today’s healthcare and community systems, his advice is, “test every campaign you create on yourself first. Walk side-by-side with your staff to understand their engagement or fears when it comes to learning about cybersecurity. Last but not least, make everything as enjoyable as possible to create ‘buy-in’ for your agency.”