Last month, we blogged about how security awareness training can help to improve an organisation’s defences. Since then, there’s been more evidence showing just how lucrative phishing can be for attackers – and why it’s important to teach users to watch for it.
In one recent simulation test, the security company Positive Technologies sent more than 3,300 phishing emails. It found that 17 per cent of workers fell for the fake message which contained malicious links. If it had been real, this would have let criminals take over the victim’s computer and access their company’s systems. Separately, the security company Ironscales has warned that phishing attacks are evolving into more intelligent and targeted threats.
Security awareness training can help to minimise the business risk from phishing. David Prendergast has an extensive background in security awareness and organisational change across financial services, technology and a variety of industries. “I’ve always tried to be the bridge between IT and business. I try and translate ‘tech speak’ for users from receptionist to the board level and say ‘here’s what this means to you’,” he explains.
David has just joined the BH Consulting team as a senior consultant and he shared his thoughts on making awareness initiatives effective. (And because we’re in the age of internet-eroded attention spans, we’ve helpfully gathered them into 10 steps. Here are the first five; part two will feature the second five steps.)
“The first thing I did was seek support from senior management, because it means the programme can go company-wide. I even carried out a simulated phishing attack against board members,” says David. “It also gives you the freedom to carry out the programme at the right time, and I had no interference on the content of the phishing mail I developed.” Speaking of which…
Find a couple of friendly users and try different versions of content. An email appearing to come from HR around review time is always a tempting lure. As a rule, the shorter the message, the greater the likelihood that it will fool people. Longer messages have more room for mistakes that savvy users will spot. “You have to do a lot of testing to make sure the phishing email won’t get caught out by the organisation’s anti-phishing tools,” adds David.
Like the Spanish Inquisition (or the Monty Python version anyway), the element of surprise is essential. Once you have permission, don’t run the test when people expect it, because that could spoil the element of surprise. “Don’t pre-agree a set date and time, because you may want to include the same managers who gave you authority in the test,” David says.
Security awareness is like parenting. If a child inadvertently does something wrong, and tells the parent who then reprimands them, then guess what? They’re far less likely to confess the next time. “It’s the same with awareness training. If a user has clicked on an email they shouldn’t have, they’ll never report it if they think they’ll get into trouble,” David says. “I wanted people to report suspicious emails to the security team, or to the service desk. Getting it wrong in a test is not a bad thing, if it means you learn from it. Remember the goal is to improve defences, not to punish mistakes. Even the most experienced among us can get it wrong sometimes too.” Which leads to the next point…
This exercise is not about putting people in proverbial stocks so everyone else can chuck rotten vegetables at them. Surprisingly, most people don’t take public humiliation well. “I can’t stress this enough: don’t focus on the people who clicked. Don’t name and shame, even if management ask you to,” says David. Do you really think you’ll change their behaviour for the better by treating them that way? Instead, focus on the positive behaviour you want to improve.