Creating an Industry-Recognized, Cybersecurity Awareness Culture at HHS

,
Cybersecurity employee education HHS poster

THE NEED

Large, federated government agencies like the Department of Health and Human Services (HHS) face the challenge of creating an enterprise-wide culture of consistent cybersecurity best practices.  In addition to ensuring that 100 percent of the Department’s employees (80,000) and contractors (40,000) receive annual Information Security awareness training and role-based training in compliance with Office of Management and Budget (OMB) A-130, the Federal Information Security Management Act (FISMA), and the National Institute of Standards and Technology (NIST) guidelines, they need recurring programs to empower their workforce to take an active role in cybersecurity, to educate the whole workforce, and to reinforce and promote cybersecurity policies.

OUR SOLUTION

HHS partnered with eGlobalTech (eGT) to build an industry-recognized, cybersecurity training, awareness and education program.  Our approach to cybersecurity education recognizes that we must change the organization’s cybersecurity culture (employees’ thoughts, beliefs and behaviors) to change security outcomes.  The solution we designed educates the broad, non-technical workforce, to increase cyber-hygiene best practices of all users, thereby reducing insider threats. The program weaves together multi-faceted, recurring communications to reinforce annual security and privacy training requirements.

Recognizing that humans are the weakest link in organizational security, eGT’s integrated cybersecurity training, awareness and education program focuses on the “people” part of change management to complement ongoing cybersecurity “processes” and “technologies” deployed throughout HHS.  Since many people find cybersecurity to be an intimidating topic that is too broad in scope and practice to approach, much less master, eGT’s program recognizes this common attitude and presents cybersecurity best practices as personal, practical, and plausible.

The Department-wide initiative called CyberCARE (Cybersecurity Communications, Awareness, Response, and Education) increases employees’ awareness and understanding of critical cybersecurity best practices through website articles, posters and bi-weekly email knowledge checks that prompt staff to read, test their knowledge and attend monthly training.  The monthly Healthy Technology lunch n’ learn trainings that are delivered both in-person and virtually align with the monthly CyberCARE cybersecurity theme to drill-down and teach attendees how to implement cybersecurity best practices.  All content is designed to bridge age, cultural, and attitude gaps, making an intimidating topic seem more approachable and understandable.  Our programs convey the knowledge and skills necessary to safeguard technology, reduce incidents, and use technology safely, both at work and home.  We customize our training content, when necessary, to address specific vulnerabilities within individual Operating Divisions.  As employees are empowered to proactively address and respond to cybercrime, the number of cybersecurity and data privacy incidents decreases.

THE RESULTS

Our program has grown exponentially since its inception in 2016.  Industry has recognized our success with the 2016 Federal Information Systems Security Educators’ Association Best Cybersecurity Website, and the 2018 Bronze Cybersecurity Excellence Award for Best Security Education Program.

The CyberCARE website is consistently the top website visited by HHS employees.  In a single year, eGT has trained close to 5,000 employees across the 12 Operating Divisions of HHS. eGT’s training, awareness and education program reinforces HHS’ ethical phishing program, and together, these efforts have resulted in a significant decrease in employees’ phishing susceptibility – from 14.3 percent in Fiscal Year (FY) 2017 to 6.1 percent cumulative results for the first two quarters in FY 2018.  These numbers quantify the amazing results of eGT’s security education program and its ability to truly empower people to be cybersecurity guardians.

eGT is proud of its partnership with HHS as a model for working together strategically to implement a major change management initiative to create a strong cybersecurity awareness culture within a large and diverse government agency.

Contact us at info@eGlobalTech.com if you would like to learn more about this project.

 

Copyright 2018 | eGlobalTech | All rights reserved.