State of Maryland's award-winning awareness program drives phishing rate to just 2%

A strategic approach to a statewide security awareness program

A long-time Infosec client and awareness training veteran, State of Maryland’s information security officer Derek Wheeler is no stranger to what it takes to run an effective program. To ensure alignment from all stakeholders and set staff expectations accordingly, Derek appoints two program managers at every state agency participating in the program.

“When an agency signs up for security awareness training, we set up a memorandum of understanding between our agency and their agency,” said Derek. “They are required to appoint a primary and backup security program manager to avoid disruptions in the program.”

It’s through this extended network that the state can drive awareness and promote secure behavior to all 53,000 state employees. Reports are sent to all managers every Monday to ensure employees complete training on time and state training requirements are fulfilled. While the state mandate is a driving force behind program adoption, the department's focus is on making the training meaningful to employees and leaving a lasting impact.

“Our main goal is to build awareness and share information employees can use to protect themselves online,” said Derek. “When they protect themselves, they protect the whole State of Maryland. I tell people they are their own personal firewall because they can catch things right in their inbox before threats can do any damage.”

Reducing risk with a quality, consistent awareness and training program

Proof that the state’s approach works is in the numbers. Since first deploying Infosec IQ awareness and training, simulated phishing click rates for State of Maryland employees have dropped by 85%. Equally important, suspicious email reports have increased by 70% — a massive increase in the number of employees proactively reporting potential security threats to the State of Maryland SOC team.

“Employees are identifying risks more now than they were in the past,” said Derek. “They submit tickets all the time asking if emails are phishing or scams. They are definitely putting the training to use.”

Beyond just fulfilling a state requirement, Derek attributes the training program with encouraging employees to ask questions they might otherwise have not. “So many individuals ask questions after the training,” said Derek. “It makes them aware of the different types of hacks, breaches and incidents that can happen when you're not diligent. After the Wi-Fi training for example, I had employees approach me and say they didn't realize how dangerous public Wi-Fi can be if it’s not secured. Without the training, we wouldn’t have had those conversations.”

While Maryland often uses post-training assessments to reinforce key lessons from the training, he cautions against assigning “grades” to individual assessments. “Assessments aren’t about passing or failing — they are knowledge based. We assign assessments to reinforce learning. It’s another way to get employees engaged and think about the information we share.”

Derek and his team also regularly recognize employees who go the extra mile to both complete training and help the state stay ahead of potential threats. “Our agency’s secretary goes out of his way to recognize employees who go above and beyond in terms of recognizing threats and reporting them,” said Derek. “We ensure those employees are credited by their managers — and their directors — for their contributions.”

Staying relevant with industry trends and events

As Maryland’s information security officer, Derek takes keeping up with the industry and emerging threats seriously. “One thing about working in IT is that it's ever changing. Bad actors are always trying new schemes to break into systems and cause havoc,” said Derek. “No one knows everything within their field, so I’m a member of several different boards to stay aware of everything going on in our industry.”

Part of this includes championing important causes like National Cybersecurity Awareness Month (NCSAM). DoIT makes it easy for state agencies to participate in this annual event and continue to drive security awareness among state employees. “We create a month-long calendar of events and pre-print awareness-themed posters for every office,” said Derek. He also sends a NCSAM toolkit to every awareness manager participating in the program.

Bottom line: keep it relevant, keep it useful

At the heart of every successful security awareness and training program is relevant, useful information that’s easy to understand and apply. It’s this concept that drives the core of the state’s program. “A lot of employees enjoy it,” said Derek. “We send them interesting training that can be completed in less than 5 to 10 minutes every month. It's called security awareness for a reason — we’re just trying to keep them on their toes. The training protects them while protecting the entire State of Maryland.”

The Maryland Department of Information Technology is a finalist for the Impact Award in the 2020 Infosec Inspire Security Awareness Awards. The Impact Award celebrates the successes of Infosec’s most innovative and inspiring clients and partners. Award-winning success stories detail high-impact security awareness and training initiatives that empower employees and motivate effective security habits.

The award was announced during the Inspire Awards ceremony held September 22 during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact. Learn more about Infosec Inspirehere.