Customer Success Story - The Interdisciplinary Center (IDC) The Customer - A Leading Academic Institute
August 2019 by Marc Jacob
The Interdisciplinary Center is a Private College in Herzliya, Israel. It grants undergraduate degrees, post-graduate degrees, and is set to begin awarding Ph.D. degrees. IDC Herzliya has 7,500 students enrolled for undergraduate and graduate degrees, including 2,000 international students from 90 countries around the world. IDC has a total of 750 full-time employees.
The Challenge - An Industry Under Constant Attack
While email as a mode of communication represents a major vulnerability for any organization, academic institutions are especially susceptible. Colleges and universities tend to be open organizations that involve many internal and external constituents, including but not limited to students, faculty, staff, administration, researchers, alumni, vendors, contractors, the media and the community at large. When considering all of the audiences involved, and the hundreds of thousands of emails that are sent regularly, the risks from ever-more-deceptive social engineering techniques as well as masked viruses are naturally multiplied. “In my experience, those in educational organizations—including institutions of higher education—haven’t fully grasped that email today is the main attack vector, due to the human factor,” says Mike Ray, IDC’s CIO. “They’re not currently making enough of an investment in terms of personnel, finances, or technologies to fight phishing attempts.”
While hackers frequently target faculty and administration due to their level of access and connectivity, they do not stop here and also target students especially during the financial season where eligible students are waiting for payments and would more likely to share their bank account information with a “university official”
“Before learning about CybeReady, our biggest challenge was how to educate our users about the disastrous potential of harmful emails,” said Ray. “So we sought out a solution and came across a different one at first. Of course, during the product demo, everything worked just fine, as it did on the first day of training. However, my security
information officer wound up spending way too much time trying to figure out how to operate that particular system, which ended up being time-consuming.”
The Solution - An Autonomous Training Platform
Ray switched gears, looking for a fully managed service offering rather than handling all of the phishing training operations in-house. In engaging CybeReady, he found a service provider that truly made a difference in employee behavior towards phishing attacks, and did all of the heavy lifting. “Their team has saved me a lot of time and effort from security administration here, and in our second year with them continues to do so,” he noted. What previously would take half of a workday to set up is now done automatically, as managers no longer have to spend hours preparing campaigns, selecting recipients or sending test messages.
The Results: 400% Improvement in Employee Resilience
The university is currently in its 16t h campaign, where it has seen a sharp decline (over x5) in ‘serial clickers’ (the organization’s high-risk group) as well as those who only occasionally take action with a phishing email. “At our request, CybeReady raised the difficulty of our latest campaign, and although the number of users who click has risen, we can see that overall, our faculty and administration are learning,” Ray said. “The system is definitely working and has generated much stronger awareness across the campus of email as a pervasive threat.”
Over 5x decline in ‘Serial Clicker’ (High Risk) rate; Almost 400% increase in Employee Resilience Score
A significant change in Risk Group Distribution, with most employees converting to Rare Clickers (low risk)
“One of the other things I like about CybeReady’s system is its comprehensive dashboard,” he added. “That I get all the info in one place where I can pull insights about our progress and any areas of weakness, which I use when making future campaign decisions.
“Without a doubt, the weakest link in the security chain is the employee,” he said. “We’re investing in this proactive approach with CybeReady because of the dividends we reap, which included greater protection of sensitive data, far fewer viruses, and minimal issues for my team to address.” “I’m also extremely pleased with the level of service we receive from the CybeReady team. Every question, every problem I have that I bring to their attention receives an immediate response, and for me, that’s really important. I don’t have to go through multiple channels before getting an answer.” Once a year, IDC leads an information security briefing with university leadership, where he shares highlights from his team’s many efforts, of which phishing training is an integral part. Last year, he used screenshots from CybeReady’s system and the institution’s customized dashboard to demonstrate the results and effectiveness. “Our leadership team was amazed by the progress we have made in a short period of time, and I appreciated being able to bring them that level of visibility into our efforts.”