“Security awareness training often interferes with the way companies typically do business and people get apprehensive about it. However, Arctic Wolf Managed Security Awareness content is short, relevant, timely, and drives engagement and participation. It keeps our employees engaged and knowledgeable—and keeps our companies compliant—without disrupting our business operations.”
— Jon Armstrong, Director of IT & Security, Fullsteam
Security awareness and compliance are always top of mind in the payment card industry. At least they should be. Unfortunately, too many companies still fail to uphold to the benchmarks of the industry’s data security standard (PCI DSS), which states businesses must “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security,” as well as educating personnel “upon hire and at least annually.” In fact, the percentage of fully compliant firms has sunk in recent years to 28 percent, according to Verizon’s 2020 Payment Security Report. Not only does this mean costly fines for many, but it puts them at greater risk of a data breach, which can lead to consequences that are far worse.
For FullsteamTM, a leading software and payments provider with more than 35 companies under its umbrella, security and compliance are an even greater ongoing concern because failure to comply could affect the viability of the FullsteamPay payments platform and its payment processing capabilities. It could suffer reputational damages and rising insurance rates, and hinder its ability to win over new merchants—in effect, many of the same costs incurred by businesses that suffer an actual breach. So, Fullsteam is hardwired in its attention to the cybersecurity landscape and its determination to always meet the payment industry’s regulatory obligations.
Security Awareness Needed to Be Fully Effective, Not Simply Check a Box
Even with the right mindset and strategic planning, however, Fullsteam faced significant challenges in delivering a security awareness program that could get its ever-growing number of employees from continuous acquisitions up to speed quickly. In the words of Jon Armstrong, Fullsteam’s Director of IT & Security, “Generally speaking, annual security awareness training is completely ineffective because it is never timely, and it is always the same because no one bothers to update it.”
What’s more, Fullsteam sought a centralized, highly automated solution that wouldn’t require its IT team to direct countless hours in developing and maintaining the program. Armstrong and his team need to focus on business initiatives that grow the success of the company and are busy enough without having to add security awareness training to their to-do list. It’s unrealistic and ultimately unproductive for them to have to curate and deliver content on a regular basis to ensure it’s up to date and keeps employees focused on cyber hygiene.
Ultimately, Armstrong sought to find a provider that would do more than help the company be PCI compliant organization wide. He also wanted to ensure all employees understood that they were expected to be responsible individually and collectively for demonstrating and maintaining proper cybersecurity behavior based on best practices to continually raise Fullsteam’s IT security posture—and that Fullsteam would provide the solution for them to meet those expectations.
Discovering Arctic Wolf Managed Security Awareness
So, compliance, implementation, and effective behavioral outcomes were all key considerations when seeking the right solution. Fullsteam had used a “hodgepodge of training courses from different vendors,” but learned about Arctic Wolf® Managed Security Awareness® when working with a security compliance consulting firm.
Right away, Armstrong liked what he saw: “Security awareness training is often a burden because it interferes with the way companies typically do business. People get apprehensive about training programs, especially when they already have a lot of things on their plate,” he says. “However, training content that is short, relevant, and timely drives engagement and participation. Managed Security Awareness keeps our employees engaged and knowledgeable—and keeps our companies compliant—without disrupting our business operations.”
Besides its exceptional content, Managed Security Awareness is easier on Fullsteam’s nearly 600 employees using the program because they no longer are required to log into several disparate portals to get the information and coursework they need. Security awareness training is no longer an ineffective annual requirement, but is delivered in bi-weekly sessions.
Improved Employee Engagement Enables Fullsteam to Raise Its Security Posture
With multitenancy, ongoing managed content, and automatic phishing remediation, Managed Security Awareness now helps Fullsteam employees retain pertinent cybersecurity knowledge and maintain a focus on security precautions required for their roles. While they may not need to learn how to analyze correlated logs, all employees must develop good password hygiene and other practices to protect against increasingly prevalent and sophisticated social engineering tactics, like phishing, that make each individual a target. As Armstrong says, “No amount of email filters will keep everything out, so users need to recognize when potential threats appear.”
So far, the results have been impressive. Fullsteam employees aren’t just participating in the Managed Security Awareness program, they are engaging with the content and retaining the security knowledge they should always remember as they conduct their jobs. As its employee scores keep improving over time, Fullsteam has gained greater confidence in its overall cybersecurity and knows that its security posture is continually improving, making the organization safer by the day.
“Your security is only as good as your weakest link. After all, it only takes a single lapse in judgement to cause a massive security breach,” Armstrong says. “Data security is everyone’s concern, and is now codified into Fullsteam’s company policies.”
“Your security is only as good as your weakest link. After all, it only takes a single lapse in judgement to cause a massive security breach.”
— Jon Armstrong, Director of IT & Security, Fullsteam