Cofense PhishMe for Large U.S. Health Plan Administrator

Background. The company is the largest third-party administrator of employee health plans and benefits in its four-state region. In business for more than 20 years, the company employs about 130 people and administers plans for nearly 75,000 members. Challenges. As an employee benefits administrator, the company handles its members’ most sensitive data – personal health information (PHI) and employment benefits. Any phishing attack that compromises members’ private data could seriously hurt the business. “In our world, phishing and educating our users about phishing is the No. 1 priority. That means we need to get people more involved and give them more tools to help them understand and recognize a phishing email,” says the company’s manager of IT and infrastructure. Solutions. When the company ran its first simulation, more than one-third of its users failed the test, he recalls. Of 127 users tested, 46 clicked the simulated phish. “So, we knew we had a problem that needed to be addressed immediately.” The IT department followed up the simulation by disseminating instructional materials biweekly to users. “In the next six weeks, we went through the education process of shooting out education emails and having discussions internally with departments and departments heads,” he says. When the second simulation was conducted, the number of users who clicked the simulated phish dropped to 21, less than half the original number. Since then, the company has run simulations monthly, picking a different scenario each time. “With each scenario that we push out, we drop a couple more people off that list. However, I’m still seeing an issue with repeat offenders,” he says. To address the issue, the IT department has been sending extra educational materials to the repeat offenders and then testing them with a rerun of the simulations they fail. The process is working, he says. The overall number of users clicking simulated phishes is down to less than 10%, and he is working to shrink that to 1%. “We just continue to see the needle go the other direction, which is very good,” he says. Another positive result, he says, is an increase in users notifying the IT department of phishing emails. “We are feeling more confident in our users as a line of defense for keeping our company secure and safe.” Results. The company found that implementing Cofense PhishMe SBE was straightforward. The company had already loaded the solution for a trial, and the IT staff knew what to expect when it came time for the permanent installation. The biggest change was to organize the Cofense PhishMe SBE dashboard by department to help identify which groups of employees have the highest susceptibility rates and, as a result, require additional education. Conclusion. Company management has fully embraced the anti-phishing program. “The execs were on board from the beginning,” he says. He keeps them up to date on simulation results, sharing with them monthly reports that break down susceptibility rates by group. “I sit down with the executives and walk through what trends we’re starting to see, both negative and positive.” Preparing the reports is easy, requiring only a few clicks to compile the necessary information and then formatting it as a PDF. Based on his experience with Cofense PhishMe SBE thus far, the IT manager says he would gladly recommend it to peers. The educational and behavioral-conditioning components are especially valuable. “It’s so user friendly and makes life easier. Having the education piece that Cofense provides is fantastic, and that would be my biggest talking point if I were recommending Cofense to another company.”