Making the case for security awareness and training
When E-J Electric Installation Co. opened its doors in 1899, the electrical industry was in its infancy. Providing the power to run computers, much less combating cybersecurity threats, wasn’t even a distant thought. Of course all that’s changed since and the oldest independent electrical contractor in the U.S. now manages employee security awareness training with the same energy it brought to projects at JFK International Airport, the new Yankee Stadium and the United Nations building.
A 20-year IT veteran, IT and facilities manager William Natal has led the company’s awareness and training program for the past two years. While threats like phishing and ransomware drove initial development of the program, William continues to build and refine training to help combat a variety of security threats targeting E-J Electric Installation Co. staff and partners.
“After seeing partners and clients fall victim to phishing, our CEO made security awareness and training a priority,” said William. “Everyone is aware of security threats like phishing and their accompanying risks now.”
Educating employees in the office and in the field
While first setting up E-J’s awareness program, William faced many of the same challenges seen at other large companies with diverse, widespread teams. Its workforce is a combination of on-site and in-the-field employees with many different skill sets and levels of system access. Persistence, patience and strong support from leadership helped get the whole team on board.
After bringing in Infosec IQ, William kicked off the program by first assessing the company’s phishing susceptibility rate with a simulated phishing campaign. The number of employees who clicked the fake phishing emails was higher than he’d hoped, but it gave him a solid starting point and direction for the campaign.
It’s not just about what we do at work. We want our staff to take this knowledge home and apply it to their personal lives.
In an all-hands staff meeting following his program launch, William successfully painted a picture of the current cybersecurity threat landscape to E-J Electric employees. He described phishing emails and how they work, social engineering and business email compromise. He also covered how these same threats impact not only the company, but employees’ home networks as well.
“Sharing how security awareness goes beyond just email security did a lot to gain buy-in from our team,” William said. “We explained how bad actors are trying to attack our infrastructure, our IP, our clients, partners and vendors. But we also wanted them to take this knowledge home and apply it to their personal lives. We told them, ‘Hey, this is the kind of risk you face if you’re not paying attention to these things. It’s not just about what you do at work.’”
Using data to improve the program, results and company culture
In two short years, William has built security awareness training up from the ground floor to what is now a steady, results-driven program embraced by the company. Awareness training is shared monthly and phishing simulation campaigns are sent quarterly. At E-J Electric Installation Co., security awareness is a year-round initiative and is quickly becoming an important part of the organization’s culture.
William stays on top of the latest risks and trends with insights from various boards, threat intelligence and his Infosec client success manager. He shares that information with company managers at meetings and through a regular cadence of emails to employees. The WORKed and Need to Know awareness training video series resonate especially well with employees. In the future, William is looking to further incentivise the security awareness program by adding a reward system to celebrate top performers.
“It’s gratifying when security becomes a regular topic of conversation,” said William. “Employees often submit emails to IT now with security concerns. E-J has always been a leader in job safety. In many ways, we’re becoming a leader in security, too.”
E-J Electric Installation Co. is a Big Phish Award finalist in the 2020 Infosec Inspire Security Awareness Awards. The Big Phish Award recognizes clients with the most advanced phishing training programs. Award-winning programs harness the most powerful tools of persuasion — customization, impersonation and urgency — to teach employees how to avoid even the most devious phishing attacks.
The award was announced during the Inspire Awards ceremony held September 22 during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact. Learn more about Infosec Inspire here.