How IIE moved mountains to build a culture of cybersecurity
As a global education center, the Institute of International Education (IIE) knows the importance of protecting the PPI of its more than 29,000 students and scholars across the world in an industry commonly seen as an easy target for cybercriminals. IIE also knows the impact of truly effective education.
Learn what made IIE an Engagement Award finalist and how they pioneered new ground within their security culture.
Aligning cybersecurity with the IIE mission
Over the past two years, IIE has shifted to a belief that effective information security and data protection takes a village to execute properly.
“We have a duty to protect the data provided to us by those we serve from undue security risk,” said Allan Goodman, CEO and president of IIE. Shannon McPherson, director of information security and compliance, takes this mission to heart and applies it directly to IIE’s security awareness efforts.
Knowing a cyberattack is a matter of “when” and not “if,” McPherson set out to re-envision IIE’s cybersecurity training program — and she had her work cut out of her. Their previous training program was characterized by infrequent training and, in McPheron’s words, the dreaded “Death by Powerpoint” approach.
IIE also struggled with an issue that many IT teams are all too familiar with: an adversarial relationship between IT staff and everyone else. “The largest obstacle in the creation of IIE’s Information Security Program began not with the need to procure a versatile security awareness platform,” explained McPherson, “but with the need to overcome our cultural deficit, one of mistrust and disconnection.”
Taking a multi-dimensional approach to training
What followed was a security awareness program uniquely cultivated to engage employees, celebrate successes and transform the culture at IIE. Each year, staff go through comprehensive security awareness training and assessments. Long gone are the dreaded powerpoints, and in their place are engaging learning experiences.
“We are big fans of the Need to Know series. Anthony and his friends do not disappoint. And they also bring a mixture of engagement and comedy,” said McPherson. “The first year we did this when we were still in the office (pre-pandemic), I actually heard people around the office randomly saying, ‘Don’t call me Tony,’” a phrase from the Need to Know series. “That was quite fun to hear because it means people are remembering things and associating the content with specific security topics.”
IIE also uses supplemental training campaigns such as the Wild, Wild Net toolkit to jumpstart awareness throughout the year. “We were using that on a weekly basis as it was designed, but I also customized the emails to our audience, which I feel is the most efficient way of connecting with your team members.”
New hires also benefit from supplemental materials to springboard them into their new job with the safety, security and awareness knowledge they need to succeed.
Security awareness training doesn’t end with training modules and assessments. McPherson supplements training and awareness with an array of resources, including newsletters, infographics and posters, to name just a few.
A positive twist on phishing
IIE takes its phishing risk head-on by delivering quarterly phishing simulations to all team members and providing supplemental information on an internal phishing awareness page.
McPherson utilizes the Catch of the Week template category and hand-selects templates most relevant to IIE. To McPherson, providing relevant education and getting a true measurement of employee risk is more important than driving a phish rate to 0%. “We purposely do not select the easiest phishing templates for our team members. We also use customized templates from our own repository.”
Despite the often difficult, real-world tests, IIE has watched its phishing pass rate increase from 75% to 92% with employee email reporting following the same trend.
McPherson strategically communicates the phishing pass rate (versus the traditional phished percentage) to align with IIE’s employees and culture. “Our people thrive on being able to celebrate their progress. Communicating a pass rate instead of a failure rate helps us do that.”
Achieving a cybersecurity culture shift
Since taking the helm, McPherson has noticed a significant shift in employee attitudes towards cybersecurity at IIE. She was even able to quantify this shift using Infosec IQ’s Cybersecurity Culture Survey, designed to gauge employees’ attitudes and perceptions towards cybersecurity.
McPherson was pleased with staff responses and high marks in all five cultural domains. This year’s survey findings will serve as a baseline the Information Security Team can use as a measuring post for future surveys.
Delivering award-winning results
McPherson and the rest of the staff at IIE moved at warp speed to modernize their cybersecurity program. Instead of being intimidated by the endeavor, they tapped into their collective drive as an educational community to master this new and critical subject. These days, IIE proudly identifies as a security-conscious organization in a habitually vulnerable industry.
IIE is an Engagement Award finalist in the 2021 Infosec Inspire Security Awareness Awards. The Engagement Award is a salute to the most engaging and influential security awareness training programs. These are the programs that go “outside of the box” to harness the power of creativity, learner engagement or gamification to drive lasting behavioral change.