How to transform compliance training into a catalyst for behavior change
Inflection Point Systems was tasked with strengthening cybersecurity education for their 200-plus employees across the U.S. and Mexico. The result? A major shift in employee behaviors and recognition as an Infosec Security Awareness Awards winner.
Adapting to new cybersecurity risks
As an ISO 27001 certified software company, security awareness training isn’t just a top priority at Inflection Point — it’s woven into the company’s fabric.
So when its 200-plus employees moved offsite to work from home during the pandemic, Lorena Garza, Information Security Lead, knew it was time to step up their security training game. After all, new risks came with the new work-from-home environment.
“When you are in the office, you feel a little bit more in control of your users and their practices or behaviors, but once we started working from home, the concern came directly from upper management.”
Elevating awareness while keeping learners engaged
With full support from the leaders of her organization, Garza launched new initiatives using Infosec IQ awareness and training, including semi-regular phishing simulations and monthly educational campaigns based on the Need To Know and Power Up programs.
These campaigns feature engaging training modules, assessments and supporting resources such as posters, infographics and newsletters.
“We also like to include the Choose Your Own Adventure® Security Awareness Games as soon as they are released,” explained Garza. Not only does this allow Inflection Point to gamify its security awareness program, but it also adds variety throughout the year to keep learners engaged and wondering what’s coming next.
Incentivizing participation through competition
In addition to new campaigns, Garza and her team have prioritized communication across the company, using the power of social proof to make participation worth it for employees.
While most professionals spend their entire careers trying to earn Hall of Fame honors, Inflection Point makes it easy for their employees to gain a little in-office fame.
When a new training module is announced, the first 10 learners to complete it are inducted into the company’s “Top 10 Hall Of Fame,” a surprisingly prestigious honor that has turned mandatory participation into a highly anticipated competition.
The prize? Company-wide recognition and bragging rights. “We expected it to be the same people every time,” Garza said, “But it’s actually been changing a lot. People are interested in this small recognition, and it’s been really helpful.”
“We have even launched actions from employee-reported emails, including deny-listing emails and adjusting our email configurations. So we’ve seen the impacts quantitatively, but also in employees’ overall behaviors.”
Immediate results spark long-term behavior change
As she hoped, Garza’s shift from annual compliance training to an engaging and comprehensive training program had a massive impact with significant quantitative and qualitative results.
In just 12 months, this training has helped:
- Reduce phishing rate from 39% to 3%
- Increase phishing reporting percentage from 3% to 31%
- Maintain a training completion rate of 96%
Though these impressive numbers reflect the program’s impact on business objectives, qualitative results show just as much promise. “It’s become an inside joke when employees encounter something suspicious, such as a bank extortion phone call. They like to joke, ‘Oh, I remember Lorena’s training. They’re not going to get me! I knew to hang up.’”
Garza says employee behaviors have even enabled the security team. “We have even launched actions from employee-reported emails, including deny-listing emails and adjusting our email configurations. So we’ve seen the impacts quantitatively, but also in employees’ overall behaviors. It’s been really awesome to see.”
Looking to be inspired?
While new initiatives are often met with reluctance, Garza’s advice to small and large organizations alike is to just go for it. “I think sometimes we get scared that it won’t be well-received or that it will be difficult to implement. And the reality is if you don’t start, you’re never going to know.”
By starting small, gaining trust and sharing results, Garza ensures that success is inevitable –– especially with the help of transparent training and engaging resources provided in Infosec IQ. “If we could do it, you can do it, too.”
Inflection Point Systems was the Impact Award winner for the 2021 Infosec Inspire Security Awareness Awards. The Impact Award celebrates success stories from our most innovative and inspiring clients and partners. Award-winning success stories detail high-impact, innovative security awareness and training initiatives that empower employees and motivate effective security habits.