Security is everyone’s job at Concord Technologies

Lzbeth: It’s something I manage myself. I set it up initially and it just goes by itself, so we don’t need a lot of resources to manage the program.

We have about 150 geographically dispersed employees at Concord. Training has become much more effective and efficient because phishing training in Infosec IQ is already adapted for employees in different locations and regions.

Lzbeth: It’s ongoing. And I like to use random simulations so employees see and experience a wide range of phishing attacks. It helps us all stay sharp.

Lzbeth: I ran a baseline campaign to establish phishing vulnerability across the organization. It wasn’t a big surprise for me because I’ve come across this at other organizations, but I found that every employee — regardless of their role or level of technical expertise — was susceptible to phishing. It was definitely a surprise to some of the technical teams. They really thought they had all the security training they ever needed.

But nobody took it as a bad thing. Everyone understands they need to stay sharp and always vigilant on the cybersecurity front. So those few who needed a refresh rolled up their sleeves and really dug into the training. All of them are now glad they did.

Lzbeth: One of the main benefits is that we now receive way more phishing reports from our workforce. Before we deployed PhishNotify™, employees would forget to send emails, delete the email or send it to the wrong department. So the reporting was not very reliable.

But once we added the PhishNotify button, we received very reliable and consistent reports from people both technical and not technical at all. We now have finance, accounting and even sales representatives using the reporting button a lot.

Lzbeth: Oh yes. We have not had any malware infections.

Lzbeth: We provide training not only to our internal employees but also to some of our vendors and individual partners that lack the time or resources for a comprehensive training program. And we do this at no cost.

We developed a vendor security program where vendors either sign off if they already have security training, or they go through PowerPoint materials that we provided. We decided to take it a step further and opened up our training program for those vendors that wished to join. This is definitely of mutual benefit for both parties.

Instead of relying on contracts, penalties and constant audits, doing the Infosec IQ training provides assurance that vendors are being trained on curriculum that is relevant. It satisfies our security standards and it allows me and our legal counsel to sleep better at night. We know that we are doing our best for not only Concord and our clients, but also helping some of our vendors and individual partners who may not have the resources to concentrate on security training.

Lzbeth: They responded positively because not only was the training and learning a benefit, it also helped them realize where their awareness strengths and weaknesses were within their workforces.

Lzbeth: There are a couple things I’ve seen change. People are more serious now about locking their computers, but in a fun way. If someone leaves their desk and doesn’t lock their computer, people jokingly call them out on it. They are joking, but at the same time it’s recognized as a serious thing. Nobody wants to be laughed at, so everyone locks their computers now.

I’ve seen other improvements, too. Badging in and out of the office is another behavior that people are really aware of now. We don’t see numerous people coming in at the same time under one person’s badge. This wasn’t a problem before, but people are more conscious about it now.

Some of the phishing simulations from Infosec are quite clever and are easy to miss — even for those highly trained on all kinds of phishing. Our focus in not on being punitive, but reinforcing training on the spot — especially when someone makes a phishing training mistake. We now have technical and non-technical individuals asking more questions on phishes and getting more interested in security in general, which further solidifies Concord’s security posture.

Infosec IQ really helped us in achieving what we’re looking to achieve. And the benefits are in the increased awareness and confidence. The training is not intrusive and it’s easy to use.