Security education with heart

As the Director of Information Technology, Mike leads the charge to help staff and the families they serve to stay safe from threats like phishing and ransomware. With the increasing number of cyberattacks on healthcare and community center systems, he wanted to make sure they had the right tools to stay ahead, said Mike.

To help put the entire Children’s Center on the front foot, he partnered with the Infosec team to implement a full-scale cybersecurity awareness program giving staff the knowledge and tools they need to detect and report possible threats, whether it be at work or at home. While many organizations scaled back on these efforts during the pandemic, Mike’s team scaled them further to mitigate the new risks that emerged.

In the theme of being proactive, Mike’s team already had the Children’s Center’s infrastructure 90% in the cloud before the pandemic.

“With the onset of COVID-19, it was all about us setting up that other 10% as quickly as possible. We also had to shift our approach and planned a security training schedule to accommodate our new remote staff. We developed a different plan right away to incorporate more training on using offsite devices, using Wi-Fi outside our center and also ramped up our phishing tests,” said Mike.

In addition to these challenges, the system, like many education and healthcare providers, faced new cybersecurity demands related to increased staff turnover and employee onboarding.

“We had to make sure that people were up to date when they came on board. This meant creating new, special training for short-term staff like interns, and new onboarding training for those less familiar with our organization,” said Mike.

In the first three months of 2022 alone, they’ve already hired 50 new staff. Each new staff member goes through new hire training designed to give them a strong foundation of security awareness and then targeted role-specific training.

“Jordan notified me right away about pandemic-related training and emerging threats so I could be on my game and adapt my training. I kept an eye on what was happening with current events as the pandemic progressed so I could modify and roll out relevant training. The regularly updated content from Infosec helped keep my staff engaged despite the difficult landscape, which really helped with buy-in,” said Mike.

The true secret to the team’s ability to quickly overcome these challenges the pandemic threw their way was staying adaptable, being proactive and customizing training and processes. “There’s no one-size-fits-all when it comes to security,” said Mike.

No matter how engaging a security training program is, motivating learners to practice good cyber habits and hygiene continues to be a key challenge.

To help get St. Catherine’s employees engaged at every level of the organization, Mike takes a tailored approach. His team incents program participation and completion with gift cards and prize drawings to complete their training and switches up training video modules to keep things fresh and relevant.

“Employees tell me all the time they weren’t aware of the cyber threats we’re teaching them about. It’s been amazing to hear how consistent security awareness training has opened their eyes,” said Mike. “I’m a big believer that if you teach people in a way that’s engaging, it helps them at both work and home.”

For employees still having issues detecting phishing simulations, more commonly known as repeat offenders, or avoiding their ongoing training altogether, the St. Catherine’s team has opted for a similar human approach.

“I like to speak to these people one on one to really understand what’s going on. Sometimes they don’t have access to the proper technology or mechanisms. Our goal isn’t to get them in trouble, but to help them understand the risks instead,” said Mike.

Mike’s team also uses this tailored approach to maintain leadership buy-in and engagement, setting up consistent communication channels to update executive leaders. “We don’t just share the metrics, we also show them the Infosec IQ platform and what we’re doing. I use the reporting feature to build Executive, Phishing and AwareEd dashboards, along with Learner reports showing how we are doing as an agency. We walk through what’s working, where the trends are and what we can do better next time.”