Action for Children

When Andrew joined Action for Children, he was the organization’s first full-time security hire and brought significant experience going into greenfield sites to build security teams and a sustainable security culture.

“A lot of my role at Action for Children is culture change around security, learning and data protection,” Andrew says. “The organization had very basic security training, but it was very tedious and static.”

Andrew had deployed and managed the KnowBe4 platform in a previous role and felt there was a strong opportunity for the platform at Action for Children. After getting his feet wet and understanding more about what the nonprofit had in place and where there were gaps, Andrew made a request for purchase after only two months on the job.

“I was still in my probationary period when I recommended we bring on KnowBe4,” Andrew says.

Staking his reputation on KnowBe4 came naturally for Andrew.

“I knew it would work. I had built the platform from scratch once before and was confident I could do it again,” Andrew says.

KnowBe4 was a significant investment for a nonprofit organization that is focused on ensuring any spend is worthwhile and ultimately ties back to the well-being of the children it works with.

“There was a risk because I was new and asking for a lot, but because KnowBe4 is as simple to use as it is powerful, we had a very smooth deployment and transition,” Andrew says.

Andrew and his team deployed KnowBe4 via Active Directory and have integrated it with the organization’s Microsoft office platform, as well as its virus scan software.

“Integration across the board has been simple and effective, which means giving time back to me and my team,” Andrew says.

Reducing Phishing Susceptibility

Andrew designed an end-to-end deployment of the KnowBe4 platform at Action for Children.

“I’m quite keen to make an all-encompassing program where we own and manage security and data protection training, while being able to report on our progress,” Andrew says.

“KnowBe4 gave me the vessel to get trainings into everyone’s inboxes and then out to the wider business.”

In addition to deploying KnowBe4’s security awareness training, Action for Children also implemented PhishER, a lightweight incident response and orchestration platform, that helped Andrew’s team prioritize and analyze emails and determine which are legitimate threats and which are not.

Once KnowBe4 was in place, Andrew rolled out security awareness training that was delivered over a three-month period to more than 4,000 employees. Users were also trained to use the KnowBe4 Phish Alert Button, a handy email add-in tool that lets users forward suspicious email messages directly from their inbox to PhishER where they are analyzed.

Before training employees, Action for Children had about a 10% Phish-prone™ Percentage (PPP), meaning approximately 400 users clicked on a test phishing email. After training, the PPP continued to decline and today the organization has reduced their PPP to 1.3%.

Andrew has set up Action for Children’s KnowBe4 platform to train new employees when they onboard. Existing employees are trained incrementally, as well, with specialized training courses designed for various groups, such as PCI-DSS training for the finance team. The organization runs simulated phishing tests every two weeks to check employee knowledge and determine where additional training would be helpful.

Increasing Personal Responsibility

As part of the mandatory annual training, all employees complete a Security Culture Survey, which is shared with the HR team. The survey, designed by KnowBe4 Research, covers attitudes, behavior, cognition, communication, compliance, norms and responsibilities.

“Building a culture of security is very important to me and has become a priority to Action for Children, too. KnowBe4 is helping us build that culture,” Andrew says.

“The survey has shown us that people initially don’t think that security is part of their personal responsibility at work. It takes a while, but together with KnowBe4, we helped our team understand that everyone can be a target, therefore security is everyone’s responsibility.”

Especially within a busy nonprofit that works directly with children’s data, it can be challenging for employees working in the field as caregivers to log in and take additional security training. But, because Andrew has built a culture of security, he’s been able to reinforce that training is equivalent to protecting the kids they work with.

“KnowBe4 makes building security in our organization engaging and quick. Our team knows that protecting our data is about protecting the children,” he says. All-in-all, Andrew has built a full-circle security program with KnowBe4. “KnowBe4 is much more than a training platform. It’s a security tool, a learning platform and a reporting engine,” Andrew says. “It helps me do my job quicker, better and with fewer resources. I’ll always recommend KnowBe4.”

Download the PDF