How One Company Stopped Chasing Gremlins and Launched Cybersecurity Training

Infosec Institute

As an IT security leader, my job is to keep people’s hands out of the proverbial cookie jar. There’s nothing more disappointing than seeing a colleague fall prey to a phishing scam. The scammers are clever. They know how to spoof an email and make it look authentic. To stay one step ahead of them, I have to do a little phishing of my own.


I’m the Director of IT and Security at a North American metal recycler with 16 facilities and 1,200 employees in three countries. I came to the organization as we were de-merging from another company, and I was our first IT employee. When I walked through the door, there was nothing on the other side. I had to build our environment from scratch, and my initial priorities were stabilizing our infrastructure, ensuring our remote locations were adequately equipped to maximize performance and uptime, and establishing our IT team. Once we had the basics under control, I shifted my focus to employee cybersecurity training.

Even computer-literate folks can be fooled by bad actors, and malicious emails can slip through the cracks despite taking many precautions.


Most people aren’t overly technical, making them vulnerable to attacks. Even computer-literate folks can be fooled by bad actors, and malicious emails can slip through the cracks despite our many precautions. In 2017, one of our people clicked on a link, and a hacker seized control of their computer for 20 minutes — a lifetime when facing a breach. It was eye-opening for everyone. We had secured our machines and locked down access permissions in Active Directory, but this hacker found a way to get through.


The problem with most cybersecurity measures is that you only know you’ve failed after an attack compromises your systems. I didn’t want a repeat of the previous incident. I wanted to educate everyone throughout the organization about phishing and track their progress as they went along their cybersecurity knowledge journey.

A Program Launch within Two Weeks

I looked at various training platforms and chose Infosec IQ, a powerful security awareness training platform aimed at non-technical users. The content was the platform’s differentiator. It offers interactive training modules—including quizzes and videos—on cybersecurity issues, such as phishing, social engineering, password management, and data protection. 


Infosec IQ also provides comprehensive reporting and analytics features that allow me to monitor employees’ progress and adjust our training material accordingly. Most impressively, it simulates phishing attacks, so I can test employees’ susceptibility to these types of attacks and gauge the effectiveness of our training.


Our core competency is industrial recycling, and IT takes a back seat for most of our teams. Infosec IQ allows me to deliver easy-to-understand training in digestible chunks—just five or six minutes a month—which puts us ahead of our industry and manufacturing peers. Someone can sit down in their spare time, watch a video, respond to a quiz and return to work. It doesn’t feel like a big lift, yet it’s enough to keep overall security and specific threats like phishing top of mind.


Two weeks later, we were up and running. Our Infosec IQ rep walked me through the process of authoring the first training videos and quizzes, eventually showing me how to build entire training programs. I continue to meet with them monthly and can call whenever I need help creating content or building programs. 

Internal Phishing Tests Reduced Click-Through Rates

Even as we launched our initial cybersecurity training program, I faced some resistance to the phishing program. So, I used Infosec IQ’s phishing module to launch an internal campaign targeting key executive team members. Most clicked on the phishing link, and those results got them to agree to launch a one-week trial, during which I targeted our entire employee population.


During that trial, 25% of our staff clicked through the suspicious link. After presenting this finding to our executive team, they agreed to a weekly internal phishing test, which has proven to be a lifesaver.

 

The weekly tests have allowed me to identify my “problem children,” the employees who repeatedly fall prey to my phishing attempts. I use the Infosec IQ portal to capture a monthly snapshot displaying everyone who got phished over the last four weeks, who successfully spotted and reported my suspicious emails, and who didn’t pass the tests. I can offer additional training to repeat offenders, and they’re also immediately routed to educational material to continue their learning on the issue.


After several years of simulated phishing attacks, the employee click-through rate has plummeted. Two months ago, it dropped to less than 4% for the first time. It’s a great feeling, and we want to stay vigilant. We’ll continue running this weekly exercise to lower the response rate to 1% or less.

Training That Reaches Across the Organization

The result is particularly impressive since I don’t have the time or the staff to develop and share comprehensive training material. I used to create phishing and malware education decks, and sometimes I’d get a few minutes to present them at all-hands meetings or an opportunity for an in-person presentation to six or seven people (at most). But I could only provide in-person presentations at corporate headquarters, which meant employees at other sites missed out on more in-depth coverage unless I visited those locations.

 

With Infosec IQ, I can train the entire company. Around 650 people get phished every week, and almost everyone has learned to spot the telltale signs of a scam on top of their ongoing training.


Beyond our phishing exercises, video training and quizzes, we share Infosec IQ’s monthly informational videos. These three-minute capsules typically focus on cybersecurity news and events, like the recent MGM Casino hack in Las Vegas. We tack them onto our monthly training material, and without realizing it, people spend extra time learning about security, helping to keep it on top of mind. We even send out seasonal material like Infosec IQ’s “Hacked for the Holidays” email, which uses cartoons to remind employees that their children might click on malware at home, infecting their personal computers and devices.

 

One of the clearest indicators of our success is the number of calls I receive about potential phishing scams. People open their email and pick up the phone if something feels wrong. Thanks to our training, their instincts are often correct, but they still second-guess themselves because they’re worried about the severity of cyber threats.

Customized Training, Regardless of Size

We continue finding ways to leverage Infosec IQ, such as with our new onboarding tool. We sync with Infosec IQ nightly, and when Infosec IQ sees a new account show up in Active Directory, it automatically invites that new employee to their initial employee training session.


From the beginning of their time with us, that user learns the basics of personal cybersecurity, including the importance of multifactor authentication, password protection, phishing and malware. We’ve tailored the content to our business, and it replaces our canned onboarding tool that dealt with generalities instead of industry-specific training.

Every company is on a different cybersecurity journey, and some industries have different attack vectors and threat levels than others. A customized training program with robust cybersecurity education can secure any business and reduce risks.


Every company is on a different cybersecurity journey, and some industries have different attack vectors and threat levels than others. Infosec’s team has the skills and know-how to help teams of any size create a customized training program with robust cybersecurity education to secure any business and reduce risk. Infosec helped us set up our cybersecurity training program from scratch in a few days, and it can do the same for any company.


I can’t imagine going back to how we were and worrying about phishing because 25% of our people couldn’t tell a legitimate email from a scam. These days, security events are rare. We are no longer putting out fires because someone clicked on a malicious link. Instead of chasing gremlins, we’re retooling our infrastructure to improve network stability, connectivity and capacity at our plants.