Why utilities are switching to Curricula’s fun security awareness approach
Central Electric Power Cooperative (CEPC) is an electric generation and transmission cooperative that delivers power to eight distribution cooperatives across Missouri. Critical infrastructure electric utilities like CEPC, have strict compliance standards under NERC CIP with some of the most expensive regulatory penalties of up to $1 million per violation, per day.
As CEPC was ready to level up its cyber security awareness training program, the team made it a top priority to go above and beyond NERC CIP compliance. NERC CIP requires utilities to update their security awareness on a quarterly basis to achieve compliance. CEPC was looking for a way to drive better engagement from their employees and create better outcomes for security.
Like many organizations, CEPC was stuck in a contract with KnowBe4 and decided to pursue switching to Curricula, knowing it was time to do something different.
In this case study, we hear from Cyber Security Analyst, Andrew Broyhill, about:
- Why and how CEPC switched to Curricula
- How Curricula has changed the way employees view security awareness training
- What they’re doing to meet NERC CIP compliance standards while also having fun
We want employees to learn by bringing a positive culture to this, and people love that. I don't think we could've done that without Curricula.
Why organizations are switching to Curricula for their security awareness training
Switching from one vendor for security awareness training to another may seem difficult from the onset. Curricula’s team made the process as painless as possible without pressuring us into launching before we were ready. They were truly a partner as their team understood each step that was required to get the program configured for CEPC systems.
In Andrew’s case, “We had a lot of issues with our previous vendor at the time and needed effective training that employees actually enjoyed.” Andrew realized the opportunity window of switching to Curricula was now open and was able to demonstrate value to his team on the difference that Curricula’s content will bring to the entire CEPC team.
Andrew shared three main reasons why he chose to switch to Curricula for security awareness training.
- Navigation and reporting: From an admin point of view “my biggest gripe with our former vendor was that you couldn’t get to anything easily.” Andrew continued, “Whereas with Curricula, everything is easily laid out and administration is simple — which is fantastic.” On the reporting side, maintaining compliance is a requirement for anyone in the NERC CIP industry. “With Curricula, you can create your own custom reports and easily download anything you could need for an audit in a few clicks.”
- Memorable and stickiness of training: Despite our previous vendor’s training content quantity, Andrew pointed out “the quality of the training lacked memorability and focus.” The purpose of a security awareness training program is to effectively educate employees; therefore, the quality of that education should be prioritized. “Curricula’s lessons stick, which ensures our employees are positively engaged in cybersecurity. That was reason enough to switch.”
- Customer service: “Another issue I had with our former vendor was continually being blown off when requesting support. Even when they did get around to me, my tickets were closed before asking me if the solution worked.” Curricula’s dedicated support team cares about every organization and individual they interact with. “To most vendors, you’re just an account number, but to Curricula they truly care about getting to know the customers they serve. There’s not another company I know that treats their customers like their friends.”
However, switching to Curricula wasn’t easy, as Andrew needed to get buy-in from management and employees. “From when I found out about Curricula it took me over two years to get away from our previous vendor,” he explained. “There was a lot of pushback because management didn’t believe that security awareness training could be fun and still effective. I was ready to prove this theory firsthand.”
Getting buy-in from executive management
In 2019, Andrew was hired to be a Compliance Coordinator because CEPC was falling under NERC CIP regulations. When he joined, the organization already had a security awareness contract in place, but he wanted the entire organization to do something better. Andrew’s manager, Justin Luebbert, showed him Curricula and he “instantly fell in love with it.”
The hardest part of Andrew and CEPC’s journey with Curricula was gaining the buy-in needed to switch from KnowBe4 to Curricula. This is one of the most time-consuming and frustrating parts of switching security awareness platforms for an IT leader who wants to do something better for their organization. Andrew’s job was now to convince everyone else why they needed a change. “When our contract with KnowBe4 was coming to an end, it was my opportunity to switch to Curricula.”
“After years of both my boss and I pushing for Curricula, I had formed a relationship with our CEO and was able to speak from a personal level on Curricula’s benefits. It was clear that our employees weren’t being educated well enough and it showed. I shared my concerns that the lack of employee motivation could lead to a major security incident very soon.”
It wasn’t until May 2021 that Andrew was finally able to get buy-in from management to trade in their previous vendor for Curricula.
Changing our security culture
“It’s CEPC’s employees who benefited the most from our transition to Curricula. Our previous security awareness program wasn’t hated by the employees, but almost just as bad it was ignored by them all. Because of the lack of emotional investment, they were indifferent to anything they learned and didn’t care about the program”
After switching to Curricula, “Our security culture exploded in a positive way that I’d never seen before,” Andrew said, “It’s a lot of fun and as the admin, I had employees coming up to me for the first time to talk about security. I could see the shift happen, where employees felt more comfortable to talk about security.”
Making phishing training fun
Part of our security awareness program is to run phishing campaigns. “Phishing tests typically build a toxic relationship between IT and everyone else,” but by shifting the narrative to a gamified approach using Curricula, Andrew started seeing positive results. “Now that we have this centralized character behind our phishing simulations, everyone’s on the same team to not let DeeDee win.”
The IT department is no longer seen as the villain just because of phishing tests. DeeDee helped drive home the concept that the only people your employees should fear are real-world hackers, not your IT team.
The purpose of using DeeDee through the training and phishing tests is to develop a relatable theme for employees to recognize and change their security behaviors.
“Employees of all demographics have got behind the training and are all engaged in the culture shift,” Andrew says of CEPC. With this culture change, training is no longer remedial, communication is stronger and everyone is on the same page with how to protect themselves and the organization.
Seeing results in security training
After just a few months of starting training and phishing simulations using Curricula, there was a decline in clicks and an increase in reporting.
Andrew explained how within six months of launching the new program, CEPC’s phishing simulation click rate reduced from 32% to 3% among 600+ employees. While it’s expected to see a quick decline in click rates, Andrew’s goal was to maintain this low percentage for future phishing simulation campaigns.
In addition, Andrew saw a dramatic increase in the number of phishing emails reported. While the quantitative results are still good indicators, Andrew recognized the most important metric is how employees feel and talk about security. A security culture is really about what employees do outside of their training platform.
Andrew closed by saying, “For me, I couldn’t be happier with Curricula. I’m so glad we became a customer.”
If you feel passionate about doing something better for your security awareness program, this is your sign to do something about it. Getting management buy-in is never easy for any new project. But as you saw with Andrew, the cost of not switching to Curricula is a much more risky position for their entire organization’s security program.
Once the executives started to see how much of an impact a positive security awareness program had, they never looked back.