More than just security awareness and training
Ask any managed security service provider (MSSP) and they’ll tell you about the importance of “getting it right” for clients. Securing sensitive information and access is a huge responsibility — a mission Calvin Fuller, director of information security and security operations at DKBinnovative, doesn’t take lightly.
“We have to be the very embodiment of security,” said Calvin. “This is what we stand for at DKBinnovative. MSSPs are a big target for attackers because if the dominoes fall, then clients can potentially fall as well because we have access to their environments. Making sure our own house is secure is fundamental.”
Eyes opened from business email compromise attacks
One of Calvin’s first tasks after taking on security awareness training two years ago was to find a training solution with the reporting he needed to measure results and drive behavior change. Clients were falling victim to business email compromise attacks, and Calvin knew a security awareness and training program would help mitigate risk from email-based attacks like social engineering and phishing.
“Clients were getting hit with business email compromise, and many were just going through the motions on password policies,” said Calvin. “We needed to take action.”
To meet the security awareness shortfall, Calvin used Infosec IQ to spin up a robust new program focused on security culture shift, a consistent training cadence and a reward system to help drive the behavior change needed to keep DKBinnovative’s clients secure. In addition to rolling it out for their clients, Calvin initiated the program internally to protect DKBinnovative’s own employees and assets.
Clients took to the new program quickly and immediately started seeing positive results. A client in the medical field was being targeted especially hard by attackers. After implementing Calvin’s phishing simulation and awareness training program, the client’s phishing click rate dropped from an initial 40% to about 20% and continues to improve.
DKBinnovative’s recipe for security awareness success
Calvin uses a similar training approach for DKBinnovative employees. He attributes his success to:
- Focusing on culture. Reestablish a healthy respect and appreciation for security awareness and training.
- Following a consistent program. A consistent training cadence keeps security awareness top of mind with employees. With that goes reporting and tracking so those who need follow up receive immediate education to fill identified knowledge gaps.
- Incentivizing behavior change with rewards. Whether it’s a monthly contest rewarding those not clicking on simulated phishing emails or gift cards for those finishing their training on time, positive reinforcement goes a long way toward keeping employees engaged.
Calvin also leverages the company’s competitive culture to engage employees in the training. “We’re a competitive bunch at DKBinnovative,” said Calvin. “If any of us fall for a fake phishing email, we poke fun at each other. It’s all in good spirits. If someone legitimately isn’t getting it, there’s follow-up education to help them out.”
If any of us fall for a fake phishing email, we poke fun at each other. It’s all in good spirits. If someone legitimately isn’t getting it, there’s follow-up education to help them out.
Calvin uses learner risk scoring inside Infosec IQ to identify employers who are doing well — and also those who might need more help. “When it comes to tracking performance, Infosec IQ makes my life a lot easier,” said Calvin. “I know when everyone completes their security awareness training and who our top performers are — those who report suspicious emails and of course, phishing simulations from PhishSim.”
Saving time, gaining efficiencies
Infosec IQ brought efficiencies on the client side for Calvin, too. Prior to implementing Infosec IQ, clients would report a suspicious email and then the help desk would try to determine if the email was phishing. Now all clients report via PhishNotify and Calvin or another security team member can quickly confirm it, blacklist dozens of bad domains and move on.
“Infosec IQ has been pivotal in helping bring about culture shifts for our clients and internally at DKBinnovative,” said Calvin. “I observe it everyday. People now ask questions if an email doesn’t look right. They speak up if they see a colleague leave out a hard drive or are careless with sticky notes. People come forward and say, ‘Hey, I see this thing. I’m not sure that’s okay.’ It’s helped quite a bit.”
DKBinnovative is a Big Phish Award Winner in the 2020 Infosec Inspire Security Awareness Awards. The Big Phish Award recognizes clients with the most advanced phishing training programs. Award-winning programs harness the most powerful tools of persuasion — customization, impersonation and urgency — to teach employees how to avoid even the most devious phishing attacks.
The award was announced during the Inspire Awards ceremony held September 22 during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact.