Is cybersecurity culture part of your strategy?

Is cybersecurity culture part of your strategy?

When developing a cybersecurity strategy, we often spend most of our time thinking about the technical layers, from end-point protection to cloud firewalls. But with over 90% of malicious breaches entering an organization through phishing and social engineering, an important component of protection is the target of these attacks—our people.

With education and hands-on training, staff and faculty can play a critical role in identifying and reporting phishing attempts and other suspicious activity, helping reduce organizational risk. While there is no shortage of platforms and services offering awareness training, we know that education, research and innovation organizations have unique needs, particularly with the wide range of non-technical users involved.

For this reason, we are excited to launch the ORION Cybersecurity Awareness Training program, supporting ORION constituents by developing a tailored program that will identify and address these unique awareness training needs. We are partnering with the Canadian Internet Registration Authority (CIRA) to provide the online platform for our training program.

Delilah Moysich (VP Business Planning and Partnerships) and Nicole Hurtubise (Senior Program Manager, Training and Product Marketing), who’ve been working with the ORION community to bring this particular program to market for the past year, sat down with Mark Gaudet (Business Leader, Security Products) and Jon Lewis (Product Marketing Specialist), who have been leading CIRA’s efforts at establishing the training platform for their members. The conversation that ensued was definitely enthusiastic. Both organizations understand that cybersecurity awareness training is important and have a shared vision that combines their unique expertise to reduce cyber risk for ORION constituents.

What is ORION Cybersecurity Awareness Training?

Nicole: I am super excited that we’ve launched this program! We’ve been working with constituents and the ORION team to develop a program that will deliver training and phishing simulations for staff and faculty in ways that can help our constituents continue to mature their cybersecurity capabilities.

Collaboration has been the key to developing this program, and it’ll continue to be what drives it—collaborating with constituents and collaborating with CIRA. To start, we’ve combined ORION’s community-focused approach to cybersecurity with CIRA’s software-as-a-service platform. This gives us a strong foundation to build from. The platform itself provides an easy way to engage staff and faculty, while the program will address very specific challenge areas where we can drive improvement together with ORION constituents. Jon and Mark, it’s great to be here with both of you today. Delilah and I have been working closely with you and your team for quite some time. It’s fair to say we are all excited to finally share this with our community. You’ve both been involved in bringing CIRA’s platform to organizations across Canada, including some existing ORION constituents, for a little over a year now.

Jon, as CIRA’s security product marketing lead, you’ve been hands-on with this platform and implementing it with CIRA members. What do you think ORION constituents will love about it the most?

Jon: Yeah! We’ve worked with several dozen groups now, and the number one thing we hear by far is how easy the platform is to set up and roll-out.

In my view, the tool should be the simplest part of an awareness program. Between a pre-built onboarding curriculum and automated monthly phishing tests, IT and cybersecurity teams don’t really have to configure much. They can focus on planning their program, communicating that with staff, receiving feedback and thinking about the next risk to tackle.

How about you? You’ve seen the platform – what did you like about it?

Nicole: Like you, my job is to think about how our constituents will experience and benefit from new products and services. One of the real stand-out features is the personal risk score and dashboard that every faculty and staff member receive. It can be hard to get people excited, or even interested, in mandatory internal training. The fact that this platform provides each user with a score that goes up or down based on their training gives them context and transparency about their progress, while making it a little bit more fun.

Jon: You’d be surprised how many users latch onto that score and start sharing it with colleagues. On the flip side, the IT teams managing the platform can also use that score to see which departments or groups of people have higher risk, making it easier to develop custom training or a focused intervention plan.

At CIRA we’ve been focusing on helping IT teams launch their own awareness programs through our platform. I understand ORION has an ambitious plan to bring additional value and support to your constituents through your program

Nicole: That’s a great question Jon, and it’s where things get cool and nerdy, in the best possible way!

We’ve been talking with our community about their top challenges when it comes to cybersecurity awareness training for staff and faculty. Nearly every time, the number one challenge is completion rates. Getting people to complete the required training. So, that’s our starting point for this program.

We’re starting with a pilot program. This will help us identify and address the barriers to participation that are impacting engagement. Ultimately, the intention is to increase completion rates for organizations and institutions on the ORION network. We want to develop best-practice tools and approaches that really meet the unique and evolving cybersecurity awareness needs of the community we serve. This kind of program just isn’t possible with current cybersecurity awareness training that is coming from private sector commercial vendors.

We see ourselves as a kind of bridge between our constituents and the solutions we offer. Because we have a strong, community-centred approach to product development, we’re in a unique position to tailor solutions to really meet the needs of the constituents. That’s why it’s great to be working with CIRA, from the outset you’ve been just as excited as we are about the potential to scale and grow this program together.

Why is ORION launching this program to its constituents?

Delilah: Like all ORION services, this program was driven by feedback from our community. At our 2019 Advisory Committee meetup, we heard the request for ORION to explore and eventually offer cybersecurity awareness training. Since that time, I’ve had many oneonone conversations with constituents that further confirmed the need and desire for this kind of program.

Once we understood the value the community placed on having a cybersecurity awareness training program, our next step was to validate that with data. In 2019, the Ontario Cybersecurity Higher Education Consortium members undertook a self-assessment that provided a strong snapshot of how essential cybersecurity awareness training is to an organization’s cybersecurity strategy.

It’s very clear from both a business and security perspective that ORION Cybersecurity Awareness Training will be a valuable and much needed addition to our cybersecurity services. As the pandemic continues, we are seeing that research, education and innovation organizations are increasingly becoming prime targets for cyberattacks. We’re also seeing that the majority of malicious breaches come through targeted and compromised users.

This program continues our commitment to strengthening cybersecurity for Ontario’s research and education community. Its focus on building and enhancing cybersecurity culture within the sector aligns particularly well with our community-driven model of knowledge sharing and collective advancement.

Mark, as the business leader for security products at CIRA, you are not only providing the technology that underpins our program but share our commitment to collaboration. What are your priorities as we roll-out this new program?

Mark: We’re just as excited about this program as you are. At the end of the day, our mandate at CIRA is to build a trusted Internet for all Canadians, and cybersecurity plays a big role in making everyone’s Internet experience safe and secure.

After delivering this platform for over a year now to several dozen organizations, we’ve learned that every industry and every province has their own unique training needs. There are so many specific laws, regulations, processes, vendors and cultures that make it impossible to build a one-size-fits-all training program that applies to every organization.

Delilah: We agree—our community-focused approach will enable ORION constituents to share what does and doesn’t work, supporting the common goal to drive down security incidents across our sector, to ultimately reduce risk and decrease costs related to the impact of cyberattacks. Both of which we are know are top of mind for constituents.

Mark: That sharing of knowledge is extremely important. Our platform is quite flexible, allowing administrators to tailor training to the needs of their organization, but you need to have that lived experience to know what unique phishing templates or training courses your sector needs. We think that’s a big gap in the awareness training world right now, and we’re confident that ORION’s program, built on top of our platform, will be an extremely effective way to close that gap.

Delilah: That’s so true. We are looking forward to growing and evolving this program together with our community and CIRA, driven by the data and best practices we will be collecting this year. Our community has been sharing their challenges with remote working and learning, the transition to online everything, and the increase in cyber threats. There could not be a better time to launch this program to support and protect Ontario’s research, education and innovation community.

How do I get started with ORION Cybersecurity Awareness Training?

To learn more about this program and to see a real-time demo of the platform, attend one of our upcoming webinars:

  • November 10, 2:00pm – 3:00pm EST
  • December 8, 10:00am – 11:00am EST

Sign up for webinar and other ORION Cybersecurity Awareness Training news here.

To find out more about ORION Cybersecurity Awareness Training contact nicole.hurtubise@orion.on.ca for a one-on-one meeting and in-person demo. 

Related Reading