With cybersecurity attacks on the rise, Ascend Federal Credit Union’s Information Technology function implemented a training program to increase awareness and educate employees on cybersecurity risks, and improve their abilities to identify red flags and respond to these situations appropriately.
The training is conducted for information security and cybersecurity for 100 percent of employees (633) across the organization, as well as the Board of Directors and retirement/investment advisors, using a combination of training within the organization’s learning management system (LMS) and test simulations through third-party security platform KnowBe4.
Program Details
The credit union approaches cybersecurity awareness using a cyclical four-stage methodology: assess, educate, reinforce, and measure.
- Assessment allows it to determine knowledge gaps for its staff and helps determine training assignments. In 2023, all employees participated in assessments based on a broad spectrum of cybersecurity information.
- Education and training enable it to fill the knowledge gaps discovered through assessment or simulation results. Interactive training modules are assigned quarterly to increase Ascend’s understanding of the cybersecurity risks it faces. Training content is dynamic and updated based on current cybersecurity trends.
- Reinforcement comes in the form of monthly realistic phishing simulations using the KnowBe4 platform to reinforce the previous quarter’s information security training topics. These simulations ask employees to perform a task that could pose a significant information security risk to the business or its members. Should employees fail the simulation, immediate reinforcement of desired behaviors is assigned.
- Measurement is a critical component of the cybersecurity platform and allows Ascend to track the number of simulations an employee completed successfully. Results measure the effectiveness of training and the improvement in behaviors, such as clicking links, opening attachments, and/or disclosing sensitive information by entering credentials and reporting e-mails to IT. From the monthly results, IT can determine areas of improvement needed and potential training content for future campaigns.
Additionally, measurement serves as the basis for remediation plans when risky behaviors are identified. Individual failures and risky behaviors are tracked for a rolling 12-month period. Employees who continue to exhibit these behaviors are assigned to a remediation training plan to prevent vulnerability and potential loss to the credit union. These behaviors are documented and discussed during the employee’s coaching evaluation.
Results
In 2023, the organization’s “click rate” determined by simulation responses was 1.39 percent, significantly below the industry standard of 9 percent. Information Security Training enabled employees to adopt positive practices and habits, leading to zero losses due to cybersecurity attacks and contributing to the organizational efficiency ratio of 67.42 percent.
