Get the most out of your phishing awareness campaigns

Credit: Luo

If your organization is not preparing well enough for phishing attacks, you are risking a lot and you are probably going to be in the news for data breach sooner or later.

Many organizations invest heavily in tools and other technology gadgets with little attention paid to the weakest link in security — Employees. It’s the reason why 90% of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component.

A phishing attack can be perpetrated by any motivated individuals with access to the internet and the bitter truth is: Phishing is not going away soon which leaves you with no options than to invest more in phishing protecting training for employees.

A pen tester once wrote an impressive report on how he gained access to 30 shell connections, 3 minutes after sending a convincing email to employees of an organization. This could be your organization but the good news is you can strengthen your weakest link through structured and effective phishing awareness training.

While you may already have some level of awareness programs like employee handbooks and a bunch of posters in every nook and cranny of your company screaming while employees shouldn’t do it; It’s equally important to note that running a phishing awareness campaigns goes beyond blabbing all the dos and don’ts to employees each time.

You have to take a conscious and deliberate effort to effectively help your employee build a security mindset.

Security mindset is not natural for most people and that is why an alarming percentage of employees would still fail a highly effective phishing scam months after they were trained.

How do you get the most out of your awareness training and instill a mindset immune to phishing scams in your employees?

Use different approaches to train your employees

Everyone learns differently. What works for Jack might not work for Bill. You need to employ several methods to get your message across and maximize the impact of your training. You can get more out of your training by:

  1. Leveraging on technology-based learning gives you an unlimited possibility and one of best ways to get more of employees’ involvement. A good example of this, is the one provided by WombatSecurity
  2. Make your training handouts short and concise with visually appealing graphics. Pictures speak louder than text and are easier to remember.
  3. Don’t only teach, mentor your employees. It erroneous to assume they know, sit down with each department in your organization and have one on one training with them.
  4. Leverage on social media if your company uses any corporate social platforms like Facebook @ work etc.

Phish your employees and be creative about it

“Phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS”
 ThinkMarble

Phishing your employees have numerous benefits. It does not only help your employees know areas they are weak but also provides you an insight into how vulnerable your organization is and who needs training the most.

Phishing simulation brings reality to your employees and unconsciously creates a mindset that scrutinizes emails before taking actions.

A few employees have walked up to me after failing a couple of simulations;
reiterating how they have now developed a habit of scrutinizing emails before taking actions.

You should also note that: it’s not enough to phish your employees, you have to be creative about it. Cybercriminals are becoming more sophisticated in their approach and phishing scams are becoming increasingly convincing than before.

For instance, it is needless to phish your employees by notifying them of FedEx delivery problem. Chances are a number of them are not expecting any delivery at that moment and a larger percentage would not even use their company emails for unofficial tasks in the first place.

You should think of things that are more common to your organization or the department you are trying to phish. For example, If your organization uses Dropbox for file hosting; you could design a phishing email template similar to authentic Dropbox email with a fake link to a file that employees are always eager to see such remuneration document, promotion list etc.

Reinforce positive behavior and retrain

You have successfully conducted a phishing simulation, and a number your employees clicked the link, submitted credentials and did the worst thing ever. Particularly, Bill in finance department submitted login credentials like 5 times and tried again the following morning hoping to see what is in the fake document.

The report shows it all, you have the list of employees who reported to the incident team, those that ignored and those that failed and here comes the big question of what to do next? It sums up to two things: reinforce positive behavior and retrain those that failed.

Good behavior is strengthened by positive feedback or consequence. When you have a reward system in place for those that spotted all phishing pointers and reported to the incident team, you encourage them and they will report likewise in future when faced with a real scam.

Of course not all your employees will pass the simulation, there will always be people like Bill. One of your goals is to identify these people from the simulation. Go after them and retrain until you build a rock solid employees immune to phishing scams.