Skip to main content
  • Cybersecurity

CIRA Cybersecurity Awareness Training for Commissionaires

By the numbers

User since: September 2023
Internal users: ~600 and increasing
Engaged user rate: 86%
Simulation report rate: ~63% (very high)

Background

Established in 1925 to provide meaningful employment for ex-servicemen, Commissionaires has been a visible and integral presence in Canada’s security sector for generations. With 23,000 employees, they’re Canada’s largest private sector employer of veterans and the only national not-for-profit security company.

Recognizing the increasing importance of cybersecurity for Canadian businesses, particularly SMEs, Commissionaires expanded their offering in 2018 to provide cybersecurity services such as cyber gap analysis, threat intelligence, incident response and monitoring, penetration testing and more.

With a new focus on cybersecurity, Commissionaires took note of the growing sophistication and frequency of human engineering attacks and decided more had to be done to reinforce their human cybersecurity layer.

We sat down with Rolland Winters, the Director of Cybersecurity and Michaël Bergeron, a Cybersecurity Specialist for Commissionaires to learn how they did it.

Centralizing training efforts

Rolling out a comprehensive cybersecurity awareness training program can be challenging, especially at the scale that Commissionaires operates. Speaking to this, Rolland highlighted the challenges of implementing a national program, “Commissionaires is a very large organization—we’re 23,000 employees across the country. Sometimes getting a national program rolled out is difficult. One of the things we noticed was that a lot of the divisions were buying the tools and solutions, but few were taking the time and effort to make sure that the content was going out.”

Rather than continuing with numerous parallel training programs at varying maturity levels, the decision was taken to centralize training. This helps not only with security outcomes, but also ensures better management, support, reporting and engagement. Commissionaires then set out to find the right partner.

Choosing CIRA

Commissionaires had specific requirements for their program: it had to be proven and effective, have multi-tenant management capabilities, include high-quality content relevant to Canadians, and importantly there must be a strong alignment in values. They found their ideal match in CIRA!

Proven and effective: if Commissionaires were going to replace their program, it had to be with a solution that would be effective and make a real difference in improving their cybersecurity posture. CIRA Cybersecurity Awareness Training (CAT) has been proven to reduce clicking on phishing links and other risky behavior.

Multi-tenant: CAT’s multi-tenant feature allows Commissionaires to manage a cohesive program while accommodating different stakeholders with varying levels of involvement. More on this later.

Canadian relevance: having used other platforms in the past, Rolland understood the importance of content. Previously, Commissionaires was with KnowBe4 who couldn’t provide content specific to a Canadian context. He stated, “The platform is fine, content is good, but they’re talking about IRS scams and tons of subjects that are not relevant to Canadians. It’s the same thing with the phishing tests, they just weren’t adapted to a Canadian audience.” Commissionaires found that because CIRA’s training content is tailored to Canadians, it educated them on threats they’re likely to face and resonated more with their teams.

Non-profit alignment: the fact that CIRA is a not-for-profit organization resonated with Commissionaires’ values. Rolland noted, “It felt like a really good fit; we’re non-profit. We’re all about supporting Canadians and Canadian veterans, and it made a lot of sense for us to work with a company that had shared values.”

And so, after evaluating CIRA’s Cybersecurity Awareness Training against other market leaders, Commissionaires made their decision, and it was time to deploy.

Smooth deployment

The deployment of CAT was seamless from the very beginning. Michaël praised the onboarding process: “The support team is always available, and we had direct contact with CIRA’s Sr. Technical Solutions Specialist, Philip. The configuration went great, and the documentation covered both Google and Microsoft infrastructure, making it straightforward for us.”

The environment was also ideal for onboarding clients who needed extra assistance. Commissionaires could provide test accounts or demos, ensuring transparency and ease of access for all users.

Thanks to CIRA’s intuitive deployment process, as well as the helpful onboarding and customer service team, Commissionaires was able to deploy their complex environment without any issues.

Multi-tenant capabilities

As touched upon, the ability to serve multiple divisions with different needs was a central requirement. This was necessary due to a national cybersecurity audit of all 15 divisions, which assessed their cybersecurity posture. The audit revealed a gap in awareness training, which was either poorly implemented or inconsistent across the country. The multi-tenant feature of CIRA’s platform was crucial in addressing this issue.

CAT’s environment allows each division to manage its own training while still being part of a cohesive national program. Rolland explained how each division had different requirements, “Some of them want to go in and see their own results directly. Some just want to receive the report at the end of each month. So, being able to have that permission-based access and shared tenancy was key for us. Moreover, we’re probably unique in the sense that our divisions don’t just want the training, but also want to sell it. So regardless of the different needs of each division, we can meet each of them accordingly. The permission and the privileges for each user can be also very granular.”

This granular permission-based access ensures that the right individuals have the appropriate level of access, enhancing the overall effectiveness of the training program.

Enhanced user experience

Administration is a key part of a successful cybersecurity awareness training program; however, the real test is getting users to engage with the platform and complete their assigned training.

According to Commissionaires, the user experience with CIRA’s platform has been overwhelmingly positive. Employees appreciated the gamification aspect, which added a much-needed element of fun to the training. Rolland shared, “We get a lot of comments from employees about the gamification. We’ve started publishing monthly reports with leaderboards and calling out the top three in each division.”

This approach transformed cybersecurity awareness from a mundane task into an engaging activity. Employees who previously showed little interest in cybersecurity were now actively participating and even requesting more training modules to improve their scores.

The platform’s integration with Microsoft Teams and Outlook further streamlined the training process. Employees received notifications about their training status directly within their workflow, making it easy to stay on track.

“The portal is very nice and helpful. SSO creates a tightly integrated and seamless experience for the business. One thing that I don’t think we give enough credit to is the Teams integration. For our team, CAT appears as tab on their Teams’ dashboard. If they get notified that they’re falling behind on training, they can easily go into Teams and complete it. It became part of their normal workflow as did the Report a phish button as its integrated right into Outlook. CIRA makes it easy for employees to engage not only in the content and program curation, but in a platform with tools that meet them where they are at which, for many, is Microsoft Teams and Outlook.”

Increased reporting and proactive measures

The effectiveness of CIRA’s platform and its integrated tools empowered users to take ownership of their cybersecurity journey, which resulted in improved outcomes. After launching the program, Commissionaires saw a sharp increase in reported emails, which provided valuable data for improving their defences.

Rolland noted, “We significantly underestimated the number of reported emails we’d receive and have to analyze. This kicked off a whole new initiative to reduce the amount of spam emails and triggered email filtering reviews. We’re working with divisions to improve their filtering and implementing CIRA DNS Firewall for added protection. It was a sobering wake-up.”

The data captured through email reporting revealed tangible examples of phishing campaigns; some unique to specific divisions and others affecting multiple divisions. This information allowed Commissionaires to educate their executives and staff on how to recognize and respond to these threats effectively. However, given the number of legitimate threats landing in users’ inboxes, a better solution to analyze them had to be put in place.

Analyst add-on

Initially, Commissionaires was hesitant about investing in the Analyst add-on due to the additional cost. Rolland admitted, “I kind of thought, yes, it’ll make our lives easier, but I didn’t fully appreciate just how useful it would be to analyze emails more efficiently. Without Analyst, I don’t know how we would handle the volume of emails we get. It turned out to be a good decision.”

This add-on not only improved the efficiency of managing the large amounts of reported emails but allowed Commissionaires to process and analyze emails more effectively, ensuring timely responses to potential threats and closing the feedback loop with their users.

Conclusion

On behalf of the federation, Rolland expressed immense satisfaction with the program, “It’s all been very positive feedback. We just had a meeting with our tech working group and they had nothing but great things to say about the program. I think everybody’s happy with it, and we already have ideas for next year and into the future. I couldn’t be a happier customer.”

The partnership between Commissionaires and CIRA Cybersecurity Awareness Training has proven to be a resounding success. By centralizing their training efforts, leveraging a multi-franchise platform and providing engaging and relevant content, Commissionaires has significantly enhanced their cybersecurity posture. The positive feedback from employees and the increased reporting of suspicious emails are testaments to the program’s effectiveness. As cyber threats continue to evolve, Commissionaires are well-equipped to stay ahead, thanks to their proactive approach and the robust support from CIRA. Not only are they using the training internally, but they’re also providing it as a service they sell to other businesses, helping to keep more Canadian organizations safe.

Related news

CIRA report: Canadian organizations seek homegrown cybersecurity solutions amid sovereignty concerns

CIRA report: Canadian organizations seek homegrown cybersecurity solutions amid sovereignty concerns

Read
Press Release
Why Canadian organizations are prioritizing made-in-Canada cyber solutions

Why Canadian organizations are prioritizing made-in-Canada cyber solutions

Read
Blog
CIRA introduces Cyber Stack: a Canadian cybersecurity suite to protect organizations against cyber threats

CIRA introduces Cyber Stack: a Canadian cybersecurity suite to protect organizations against cyber threats

Read
Press Release
Why Canadian organizations need a layered cyber “stack” now

Why Canadian organizations need a layered cyber “stack” now

Read
Blog
Should small businesses pay for cybersecurity training?

Should small businesses pay for cybersecurity training?

Read
Blog
Cybersecurity training: how to motivate your teams

Cybersecurity training: how to motivate your teams

Read
Blog
Stay tuned

See more news

Read
{( translate(state.status) )}