“Phishing is the number one way attackers attempt to obtain sensitive information or cause digital harm to companies and their customers,” said Ron Barthel, TIAA’s Senior Director of Cybersecurity Training & Awareness. “Our objective with TIAA’s Enterprise Phishing Awareness Program is to creatively train our associates to recognize and report potential phishing emails and to create an enterprise-wide culture of security accountability. We all play a role in protecting customer data.”
Understanding the critical importance of successfully preventing a phishing attack, and the unique challenges of addressing the human element of risk, TIAA’s Cybersecurity organization initiated a project to uplift its phishing awareness program. The aim of the program was to effectively strengthen associate awareness of the very real risks of phishing and to ensure associates understand they can be targeted and need to report anything suspicious.
The project focused on three key areas: uplifting metrics and reporting, creating an associate accountability model, and leveraging data analytics to identify and engage the most susceptible associate groups with real-world exercises and focused education.
On the metrics and reporting front, the uplift elevated ‘phishing susceptibility’ to be a metric within TIAA's corporate risk appetite statement. This step increased phishing risk visibility at executive risk committees and to TIAA's Board and yielded the executive sponsorship needed to drive an associate accountability model and to sponsor new educational content.
The implemented accountability model began leveraging monthly phishing simulation results and data analytics-based risk scoring to more effectively train associates. The model focuses on providing job-related education to more susceptible groups and to individuals who repeatedly fall susceptible. As an example, data analytics highlighted new hires may tend to be more susceptible, so new interactive hands-on training was developed to specifically train and track new hire susceptibility. The model also implemented a rewards structure for associates that successfully report phishing simulations.
“As a result of these efforts, our overall susceptibility has been reduced, we can quickly identify and educate higher risk groups, we have the visibility needed to drive change, and we are rewarding associates for the right behavior and for owning their accountability” said Barthel. “We appreciate this industry recognition from CSO and are proud to play such an important role in helping to protect TIAA’s customer data.”
About CSO & CSO50 Awards
CSO is an industry organization that serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks. The annual CSO50 Awards recognize 50 organizations for security projects or initiatives that demonstrate outstanding business value and thought leadership in the industry. The CSO50 Award is a recognized mark of risk and security excellence.
TIAA is a leading provider of secure retirements and outcome-focused investment solutions to millions of people and thousands of institutions. It is the #1 not-for-profit retirement market provider1, paid more than $6.4 billion in lifetime income to retired clients in 2021 and has nearly $1.3 trillion in assets under management (as of 3/31/2022)2.