When Enfield (CT) Housing Authority Executive Director Scott Bertrand heard about the KnowBe4 cybersecurity awareness training discounts available to HAI Group members, he didn’t hesitate to take advantage.
“With cybersecurity, it’s one of those things that if it’s not keeping you awake at night, it should be,” he said.
Bertrand (pictured at left), chair of HAI Group’s Board of Directors, first experienced KnowBe4’s training services a few years ago when HAI Group board members were mandated to take cybersecurity training. He liked the training better than what housing leaders are required to take annually through the U.S. Department of Housing and Urban Development, but the cost was too much for his housing authority at the time, while the perceived cybersecurity threat level was too low.
But the cybersecurity landscape has changed dramatically in just a few short years. Cybercriminals are now targeting housing organizations at an alarming rate, some paying hundreds of thousands, if not millions of dollars, to remedy cybersecurity breaches. According to IBM's latest Cost of a Data Breach Report, the average cost of a ransomware breach in 2022 was $4.5 million, not including the cost of the ransom itself. The report based the average cost on breach response activities, such as detection and remediation of the attack, as well as loss of business due to system downtime.
In January, after HAI Group announced a partnership with KnowBe4 to offer an exclusive discount program to HAI Group members, Bertrand decided to explore KnowBe4’s training services once again. He tasked his deputy executive director, Shari Riddick, with leading the project. Bertrand said that the only legwork required of the housing authority to get started with KnowBe4 was notifying its external IT vendor.
“Cybersecurity awareness training is critical for housing staff, and at this point, the cost is worth it,” he said, adding that his housing authority relies on technology for its operations and contracts with a vendor for IT services. “You start looking at it from a business point of view in terms of how much it would cost us if we did get hit by a cyberattack.”
Phase 1: A phishing test to establish the housing authority's baseline
The first phase of KnowBe4's cybersecurity awareness training program entailed sending an email phishing test to the Enfield Housing Authority's employees in February. Phishing is a form of social engineering where cybercriminals attempt to deceive people into revealing sensitive information or clicking on malicious links and attachments that install malicious software (e.g., ransomware).
Christian Sheedy, executive vice president of small- and medium-sized business sales for KnowBe4, said phishing tests work by creating a campaign that automatically goes out once a month (or more frequently, it’s up to your discretion) to all end users.
“[Phishing test emails] are delivered to all of your users at different times with fully randomized phishing templates.,” Sheedy explained. “If an end user is to fail and click on a simulated phishing link, they are automatically enrolled into a ‘clickers’ group that then enrolls them into a short remedial training module.”
Phishing tests can also help identify employees who pose a security risk to your organization because they lack cybersecurity awareness.
“You can then create a policy around this and have escalations in place for these employees to ensure security is top of mind,” Sheedy said. “You can create targeted training campaigns for employees based on their categorial failures. You can also identify weaknesses in certain departments to create training campaigns to strengthen these. The biggest action you can do is to create a security culture which will ultimately reduce the risk of social engineering.”
Bertrand said he was proud that none of his employees were tricked by the first phishing test delivered in February.
“I was a little bit surprised that we didn’t have at least one person take the bait,” he said.
Before the phishing test, Bertrand said all staff members were mandated to take free cybersecurity training courses available through HAI Group Online Training (there’s no subscription required, and the courses are open to all employees of HAI Group member organizations—click here to learn more and access these free training courses). Bertrand surmised that the HAI Group Online Training experience probably factored into how well his employees performed after the first KnowBe4 phishing test.
After the test was delivered, several employees approached Bertrand and Riddick about the suspicious nature of the email. Bertrand said employees talked amongst themselves, sharing what they felt was off about the email. At the time, they didn’t know it was fake.
“I’m very proud of the fact that our employees responded that way,” Bertrand said.
Phase 2: A second phishing test and the addition of KnowBe4's Phish Alert button
There was a similar response from employees after KnowBe4 sent a second phishing test email in mid-March. The email appeared as if it was from Microsoft 365, asking employees to reenter their passwords. Bertrand said he’s awaiting results on the test but is hopeful his employees performed well. Several employees reported the email using KnowBe4’s Phish Alert button, implemented shortly after the housing authority’s first phishing test.
Organizations can add the Phish Alert button to their email platforms to give employees a safe way to forward email threats to a security team for analysis. When the button is utilized, the email in question is automatically deleted from the user’s inbox to prevent future exposure. Bertrand said the housing authority’s IT vendor receives reported emails for further analysis.
Sheedy said there’s an element of psychology at play when phishing tests are deployed regularly.
“Employees will start to be hyper-aware knowing that they are getting tested,” he said. “This causes a shift in security culture which ultimately reduces the organization's overall security risk. Your employees are the last line of defense, so by understanding their part in the organization, they are more likely to be aware and care about their actions."
Phase 3: Roll out of mandatory monthly employee training
The final phase of KnowBe4's cybersecurity awareness program at Enfield Housing Authority includes rolling out mandatory monthly training for employees. The image above is a snapshot of KnowBe4's training platform and the type of courses offered.
“By having a fully mature security awareness program that includes both phishing tests and training, you can change the user's behavior where they will start to have security hygiene when looking at emails,” Sheedy said.
While employee training is a critical tool in preventing cybersecurity incidents, it's one of several measures HAI Group members should consider implementing. For instance, Enfield Housing Authority uses multi-factor authentication for critical services. This HAI Group blog post highlights additional cybersecurity tactics for housing organizations to consider, especially when in the market for a cyber liability policy.
Bertrand said that while you can’t eliminate risk, you can manage it, and implementing KnowBe4’s cybersecurity training program is a step in that direction.
“It makes me feel better knowing we’re being proactive and doing something right regarding cybersecurity.”
Includes copyrighted material from a company under the HAI Group family, with its permission. this post is for informational purposed only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.