The Metropolitan School District (MSD) of Wayne Township is located in the heart of Indiana. The district is home to 16,500 students, 2,500 employees and over 15,000 computers and devices.
After experiencing four ransomware attacks in a few short years, Chief Technology Officer Pete Just knew it was time to take a new approach to educating his faculty and staff about the risks of phishing and malware. Pete made several changes to the district’s security strategy and enrolled their employees in SecurityIQ awareness training. Pete’s efforts have been successful — the district has remained ransomware free since deploying these changes in late 2017.
Pete, a former teacher, uses SecurityIQ to deliver personalized security awareness training to employees who need it the most. We met with Pete to learn more about his approach and how he’s used SecurityIQ to keep his district’s data secure.
Enhancing Security Through Workforce Education
Pete helped pioneer personalized learning at MSD of Wayne Township long before leveraging it in his security awareness training program. Using technology and data-driven insights, Pete and the MSD of Wayne Township boosted graduation rates by letting students choose education paths tailored to their needs and learning styles.
“There are two ways we like to think about personalized learning — one for students and one for staff,” said Pete. “We teach our faculty to personalize education through actionable classroom data.”
Pete follows this same approach when teaching staff how to identify phishing attacks. “Rather than hosting a meeting and making staff sit through a three-hour training, we tailor training to their own level of understanding. If we want to teach them something new, we first assess what they know. No one likes to sit in a room and listen to a talking head. And they don’t like getting trained on something they already know.”
Using Positive Reinforcement to Transform End-User Behavior
In addition to leveraging personalized learning, Pete uses positive reinforcement to drive the behavioral changes needed to combat phishing and ransomware attacks. He uses SecurityIQ phishing simulations to identify at-risk employees and deliver training tailored to their security aptitude.
“Training shouldn’t be punitive,” said Pete. “That’s one of the things I like about how we use SecurityIQ. If you’re not clicking links and getting phished, you don’t need the training and you won’t have to take any. If you need training, we’ll start with a three-minute module. If that doesn’t work, then we’ll have you take the 20-minute training.”
Pete recommends tying the benefits of security awareness training to life in and outside of the workplace. “If you’re not secure at work, you’re probably not secure at home,” said Pete. “I ask our employees, ‘Do you want people to get into your bank account?’ The answer is always no. Security awareness training will teach them how to stay safe online at work and at home.”
Why Metropolitan School District of Wayne Township Selected SecurityIQ
Before exploring external training solutions, the district tried an in-house approach. They sent informative emails to staff and hung posters in the buildings, but they did not see the results they needed. “This approach wasn’t well received. People weren’t engaging with the emails,” said Pete.
Pete looked at several major awareness training vendors before selecting SecurityIQ as their training solution. The fact InfoSec Institute developed SecurityIQ caught Pete’s attention. “InfoSec Institute’s history in security education made the product stand out to me,” said Pete. “It was a complete package for a very reasonable price.”
Platform features important to Pete included customization options, personalized learning and engaging, interactive content. “We wanted the ability to customize our campaigns and receive regular reports as campaigns were in progress. We also wanted training to be closely associated with learner clicks, and needed the ability to determine what training module went to whom and why,” said Pete.
Getting Training Buy-In From Stakeholders & Staff
Phishing simulations and workforce security awareness training is fairly new to K-12 education. Pete and the Indiana CTO Council surveyed school districts in the state to see how many used security awareness training to fight the growing phishing and ransomware threat. “Of the 400 folks who participated in the survey, 62% had never run phishing security tests,” said Pete.
Pete knew it was time to start an awareness training program at MSD of Wayne Township, but first needed to secure buy-in from stakeholders. “Our test database was locked up about two years ago following a ransomware attack,” said Pete. “Thankfully, we were backed up, but it put some people out. I reminded our stakeholders the entire situation could have been avoided if users knew not to click malicious links.”
Security awareness training presented an opportunity for MSD of Wayne Township to make life easier, protect resources and keep everyone safe. “I asked the group if we wanted to keep everyone safe, and of course they said yes,” said Pete. “I then explained we were going to provide just-in-time awareness training for people who need it the most. Two months later, we started our first phishing campaign.”
Pete attributes much of his success to the way he approached stakeholders and explained awareness training benefits. “The way I approached the group helped them understand what we wanted to do was a positive thing,” said Pete. “It starts with how you announce your program. It can’t be about ‘gotcha’ moments and negative feedback. If you start that way, you’re probably going to have all kinds of problems. I explained it’s a learning opportunity and a way to avoid future attacks.”
Creating a Culture of Security at Metropolitan School District of Wayne Township
With 2,500 employees, Pete knew making changes at the cultural level was going to be a challenge. Pete and his team looked to a group of key school leaders and stakeholders for help introducing the new program. “We have group of about 40 teachers and 10 tech assistants who serve as technology leaders in the district,” said Pete. “We told them we were getting ready to start this program and showed them what to expect. We combined the new software with a train-the-trainer model.”
Called the iTEC team, this group helps field questions from staff about phishing simulations and awareness training. If negative feedback is received, it’s reported back to Pete’s team for further evaluation. “iTEC helps get staff on the same page,” said Pete. “We have 1,200 teachers — not all of them know who I am. I could send an email to everyone about the program, but this approach is more effective.”
Before security awareness training, teachers at MSD of Wayne Township didn’t understand why they were a hacker target. Educating them about phishing, social engineering and ransomware has helped the school district keep their data secure. “Our threatscape is constantly changing,” said Pete. “In the past 18 months, we’ve experienced an onslaught of sophisticated attacks. Hackers are targeting our users in very specific ways.”
In the years before training their staff with SecurityIQ, the district was hit with four ransomware attacks. There have been no ransomware attacks since deploying the SecurityIQ solution. “SecurityIQ was one of many changes we made to our security strategy,” said Pete. “Security takes a multilayered approach, and employee security education is an important layer.”