Keeping security awareness training fun with a group-learning format

When deciding on a security awareness training and education program, Loren D. Stark Company’s (LDSCO) network and desktop administrator Jimmy Cantu Jr. broke free of traditional training models and designed a strategy focused on group learning, discussion and most importantly, fun.

In a few short years, Jimmy’s approach to training helped drive the company’s initial phishing susceptibility rate of 20% to below 5%. The number of suspicious emails submitted through PhishNotify are at an impressive all-time high, averaging 47%.

“We have a collaborative workforce, so training in small groups feels right for us,” Jimmy said. “We have great discussions. If anyone has questions we talk through them instead of lecturing in front of the group. It definitely feels more participatory.”

Here’s how they do it

LDSCO’s brilliance is in the program’s simplicity. Jimmy creates groups of 10 to 12 employees and schedules group training sessions once a month. In the hour-long sessions they discuss the latest threats and trends in cybersecurity, watch an awareness video from the Need to Know or WORKed series and discuss the video content together. After COVID-19 struck, training continued through an online meeting platform. 

Group training includes assessments — assessments administered in a way unique to LDSCO. 

“We work through the assessments together,” said Jimmy. “We joke around to keep things light, even when people get questions wrong. Humor helps our staff retain the information. After the assessment, each learner is assigned a quiz on the material they need to complete in 15 days. The process really works well for us.”

Engaging employees with relevant and relatable training

When choosing training topics, Jimmy focuses on the topics and campaigns most relevant to LDSCO, but also keeps his eyes on the latest international and financial cyberthreats. For example, spamming and social engineering were his program’s primary topics when news broke about Iranian hackers targeting the U.S. in early 2020. 

With hackers attacking employees working at home during the COVID-19 pandemic, he turned to remote working learning modules. He plans to continue with remote working education for the rest of the year, covering safe browsing, malicious attachments and malware.

Keeping employees cyber-alert with phishing simulations

In between the monthly awareness training group sessions, Jimmy keeps staff on their toes with regular simulated phishing emails using PhishSim. Next he plans to create customized phishing templates to increase the level of simulation difficulty and mimic more advanced threats like social engineering and impersonation. The phishing component of Jimmy’s program has been an effective way to reinforce training for LDSCO employees.

“Since we started training and phishing employees, they’ll call me to work through a potential malicious email,” Jimmy said. “They’ll ask ‘Is this spam?’ Instead of just giving them an answer, we’ll talk through it. I’ll ask if they hovered over the link? Looked at the header? If everything is spelled correctly? If there is something about it that just doesn’t feel right? Going through this exercise helps them really understand how to detect phishing emails.” 

Driving lasting changes through security culture shift

Jimmy’s approach to security awareness and training has helped him drive a culture shift at LDSCO and change the way employees view their relationship with the IT department. Working closer with a wider group has created more familiarity and understanding that IT people aren’t just there to make sure the computers work. 

“Because of the training from Infosec IQ, we’re definitely catching and stopping more threats in the inbox,” said Jimmy. “That is a very visible, measurable result. It goes a long way toward keeping our company safe and secure. I tell everybody that we’re trying to create a human firewall — that they can be stronger than all the security devices we have in place to stop malicious attacks.”

Loren D. Stark Company is a Big Phish Award finalist in the 2020 Infosec Inspire Security Awareness Awards. The Big Phish Award recognizes clients with the most advanced phishing training programs. Award-winning programs harness the most powerful tools of persuasion — customization, impersonation and urgency — to teach employees how to avoid even the most devious phishing attacks. 

The award was announced during the Inspire Awards ceremony during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact. Learn more about Infosec Inspire here.