An unexpected reception
In the fall of 2019, Racine Unified School District (RUSD) network administrator Randy Langer and application support specialist Craig Wepprecht were excited to roll out the district’s first formal security awareness training program. They had the support of IT management and the district administration. The plan was to identify the initial phishing susceptibility rate using three simulated phishing emails from Infosec IQ.
“We were really gung ho,” Randy chuckled. “We were told, ‘This is the greatest idea ever. We’re going to be so safe and so secure.’ That lasted right up until we flipped the switch.”
Panic ensued from many who received the fake phishing emails. “Some thought the entire network was going down,” said Randy. “A few thought they were in serious trouble and their jobs were in jeopardy.”
The first test crashed the team’s help desk ticketing system as faculty and staff reached out for help regarding the simulated attacks. Four days after the program launched, Randy and Craig were ordered to shut it down, leaving the initial phishing simulation incomplete.
Overcoming adversity with effective communication and leadership support
What followed is not unique to RUSD. It’s a response many security awareness training managers receive when establishing the initial baseline phishing rate. While establishing an accurate baseline rate hinges on employees being unaware a test is coming, this “pop quiz” did not resonate well with faculty and staff. Randy and Craig knew they needed a reboot.
“We put a hold on the program and worked with leadership on a communication plan,” said Craig. “Over the course of the next three months, members of the IT team met with senior leaders and the principals at each of the schools. As soon as we spent time explaining the program goals face to face, the change in attitude was amazing. People understood the purpose, and we got everyone back on board.”
Building security awareness with a multi-layered approach to training
The face-to-face meetings were augmented with material from Infosec IQ’s Need to Know video training series. During National Cyber Security Awareness Month in October 2019, they added Need to Know infographics to the district’s computer backgrounds and placed posters in staff lounges to keep security awareness top of mind.
A second round of phishing simulations started in January 2020, this time sent to just a fraction of the staff each week. Right away, Randy and Craig noticed the phishing rate drop dramatically, and importantly, user awareness significantly increased. They continue campaigns today with a regular cadence of education and supplement the phishing tests with the WORKed video series and poster campaigns at each school.
The good news from all the hard work, persistence and communication is in the numbers: RUSD’s initial baseline phishing rate of 23.7% dropped to just 7%.
The good news from all the hard work, persistence and communication is in the numbers: RUSD’s initial baseline phishing rate of 23.7% dropped to just 7%. They achieved a 50% voluntary participation rate in the video training series and also recently deployed PhishNotify to empower staff to report suspicious emails right from their inbox.
“It’s that awareness thing,” said Craig as he reflected on the importance of an ongoing program. “We have to say it again and again and pretty soon, the training starts to sync in.”
Culture shifts occur when everyone is at the table and part of the mission
Randy and Craig don’t dwell on the bumpy start to the program. They focus on keeping security awareness a part of the regular conversation in the teachers’ lounge and at staff meetings.
“Once we got face to face with everybody, that really turned the table,” Randy reflects. “It helped them understand cybersecurity threats are all around us. We shared stories with teachers about people they knew who lost money in phishing scams. People that handed over credit card numbers and then the hassle of going to the bank to get everything changed.”
“You don’t have to look hard to find real life stories of people, school districts and even city governments impacted by cybercrime,” said Randy. “We tell them security awareness is not just about keeping your job safe, you’re keeping yourself safe. This isn’t training just for work, this is training for life. You can apply training to everything you do — from your cell phone and computer to how your own kids use devices at home.”
The Racine Unified School District is the winner of the Impact Award in the 2020 Infosec Inspire Security Awareness Awards. The Impact Award celebrates the successes of Infosec’s most innovative and inspiring clients and partners. Award-winning success stories detail high-impact security awareness and training initiatives that empower employees and motivate effective security habits.
The award was announced during the Inspire Awards ceremony held September 22 during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact. Learn more about Infosec Inspire here.