Training Top 125 Best Practice: Intermedia Inc.’s Hacktober
Every year, cloud-based software-as-a-service provider Intermedia Inc. organizes around “worry-free experience” as a corporate goal/ theme. Teams across Intermedia prepare sub-goals and projects under this umbrella theme to deliver trustworthy services to customers. The five pillars of the worry-free experience—security, reliability, onboarding, support, and regulatory compliance—are designed to ensure that nothing distracts customers and employees from adding value to their business.
Intermedia created Hacktober in 2015 to build the spirit of the “worry-free experience” by ensuring all Intermedia employees are trained to catch real-world security attacks and are geared toward a compliant culture. Hacktober is an organization-wide cybersecurity functional exercise designed to raise awareness of security threats; educate employees; and reinforce behavioral patterns in an engaging, fun environment.
October is national cyber security awareness month (NCSAM). While many companies might provide information via traditional means (compliance videos, dry awareness posters and messages, lectures and e-mails) to help their employees detect and prevent cyber-attacks, Intermedia adopted a different, innovative approach. Intermedia’s security team worked to create a series of simulated security incidents, such as phishing, dropping a malware-laden USB, tailgating, vishing, and rogue network access points. These simulated scenarios provide an active learning environment for employees worldwide, including gauging reactions, addressing concerns, and providing real-time feedback. To promote Hacktober and create memorabilia of the learning experience, Intermedia gives away swag such as custom mugs, T-shirts, and hoodies to all active participants.
Hacktober is an annual event, with three of them taking place since 2015. Exercises are prepared for all departments, based on differentiated risk patterns. To make the hacks more effective, specific groups within the company are targeted with the types of threats they are likely to encounter when they are doing their job. For example, some groups within the company are more likely to be targeted by “phishing” than others.
Intermedia employees also are enrolled in a video-awareness series that explains the risks of phishing, untrusted USB devices, rogue WiFi access points, and more. Ryan Barrett, VP of Security and Privacy, is intimately involved in designing, developing, executing, and communicating all aspects of Hacktober to employees.
Each year, Intermedia employees are recognizing more and more phishing attacks and reporting those attacks more often. USB drops are recognized instantly now, and Intermedia rarely sees anyone plugging in a dropped USB in their corporate workstation. As Barrett reported to senior leadership in 2017, over the course of Hacktober, the rate of success of well-crafted phishing e-mails dropped from 50 percent to 15 percent to 7 percent, showing improving employee understanding of the basic principles of a phishing attack. At the same time, reporting of phishing e-mails increased as Hacktober progressed.