The San Antonio Housing Authority (SAHA) won a 2018 Award of Excellence in Administrative Innovation for developing and implementing a staff cybersecurity training program to protect their sensitive data assets. Nominated from among the NAHRO Award of Merit winners each year, the Awards of Excellence winners are chosen by national juries and honored at the annual National Conference and Exhibition in October. They represent the very best in innovative programs in assisted housing and community development.
Internet access is a powerful tool that allows organizations and individuals to connect to and to learn from unlimited sources of information. As with any tool, people can use it to further their own gain at the expense of others. A curious click from an unsuspecting user can expose an entire organization to malicious hackers working to steal or ransom information for monetary gain. It is easy for a malicious program to infiltrate a bank account, personal and work email, private photos, and phone conversations To protect SAHA staff members, computer systems and data, the organization’s Innovation Technology (IT) department built the Cyber Security Awareness program.
The program was created with the understanding that an organization’s first line of cybersecurity defense is a knowledgeable, vigilant staff. Since each internet connection is a potential target, the responsibility of protecting SAHA’s sensitive information cannot solely rest with the IT department. The Cyber Security Awareness program uses the concept “Security Top of Mind” to encourage the use of safe internet practices and shifts the responsibility of cybersecurity to all members of the user community to help IT protect and defend the SAHA computers, operations, and important data assets.
Using an instructional methodology that incorporated interactive responses and prizes, the IT department created eight cybersecurity training sessions for all SAHA staff, covering topics such as business and data security, user security, and Google security. After each session, they conducted a survey to ensure that their message was well received. IT listened to staff feedback and tweaked the trainings to better meet staff needs. Using survey results from the presentations, the IT department also launched two marketing campaigns -- “Think Before You Click” and “Think Before You Print” – which helped staff learn how to avoid losing or leaving out sensitive information.
The training session and marketing campaigns were overwhelming successes and provided left staff with a better understanding of how to protect themselves and SAHA from cyber threats. However, the internet is constantly evolving, and hackers continue to find new and more convincing ways to trick users and steal their data. To keep up with the ever-changing digital landscape and the new threats it produces, the IT department began using user awareness training software to test users on malicious techniques such as social engineering, phishing, and smishing.
Using the software, the IT department created phishing tests that looked and acted like real phishing attempts. If the user clicked on the phishing link, they were redirected to a safe website that warned them about the scam. They were then enrolled in web-based training to help them identify scams and required to pass a quiz to receive a certificate of completion. This approach ensures that only at-risk staff members receive the additional training. The program is mandatory, and SAHA management receives reports on their staff’s cybersecurity safe practices. The software and training modules are kept up-to-date to ensure that the staff is aware of the newest internet scams.
SAHA’s user community embraced “Keeping Security Top of Mind.” Initially, 37 percent of SAHA staff fell for the simulated scams. In less than four months, and after five phishing campaigns, that number fell to six percent. More staff members are sending suspicious emails to the IT department instead of just clicking the links; many staff members have also said, “I got this email and knew this was a scam, so I deleted it.” To the IT department, that’s a win.