It is increasingly commonplace for organisations to undertake phishing simulations against their employees. There is a plethora of service providers as well as free resources to use for this purpose. With the increase in such activities, you would think security awareness would be at an all-time high. But is it? And are these methods effective?
Let’s get one thing clear – you do not need to pay money to discover that many employees cannot spot fake emails from legitimate ones. They can’t. Deal with it.
This is even before you consider well-crafted phishing emails. People still fall foul of the rudimentary phishing emails that most of us laugh at. You can tell they still work because criminals are still using them.
Where you might consider careful spend is in raising awareness. Often this is coupled with simulation, but with mixed results. Training is often too long, intrusive and centred on corporate security and policies, with which the user – or rather customer, as they are all customers of security – has little or no affinity.
Obviously, this will be combined with the annual mandated security awareness training employed by most organisations – training that sits alongside health and safety, diversity, anti-corruption and all the other topics, and does nothing but annoy the user.
Inmost cases, the user will just repeatedly click “next” and pass a test that a five-year-old could ace. It does literally nothing to raise security awareness.The only awareness it raises is a dislike for security.
So, there are two obvious considerations. First, email is not the only threat vector. If you are going to run simulations, you should do so across vectors, for example SMS, social media and voice, as well as good old email.
Second, if you are going to couple that with training, you should ensure the training modules are, at most, five minutes long and actually pertinent. Here, pertinent means that your intention is to alter behaviour. That will not come from trotting out generic corporate security rules or policies to an already jaded user.
You should focus on the skills available for the user to protect themselves and their families in their personal cyber space. They have a far greater affinity with this side of the subject and, guess what, these are the self-same skills you want them to build to protect the corporation.
If your training material does not render on mobile devices, please stop – it is a personal bugbear and so simple to remedy.
But let’s not stop there. This is just the simulation. What happens when an actual rogue email arrives? Let’s say you have an aware workforce, that has not been achieved to the detriment of day-to-day operations – in other words, people aren’t so scared to open any email that they do nothing all day.
So, a rogue email enters the organisation. Your hyper-aware user spots it. They could delete it, which many will do, or they could report it to the security team – which does pre-suppose that they have the vaguest idea who to report it to! In all likelihood, they will have to search an intranet-type resource to find out where on earth to send the offending email.
They report it and the security team comes back to ask if they could forward the email as an attachment to preserve mail headers and such like. I kid you not –this happens.
The security team then has to take the email details and either go to the mail platform, or contact the mail team, to undertake an investigation – for example, search for other recipients, check attachments or links – to ultimately determine whether the rogue email is malicious.
Of course, part of this is to understand which users have done what with the email– opened, clicked, downloaded, and so on. And if it is malicious, they have to undertake the sometimes laborious exercise of purging the email from all respective mailboxes, which may or may not involve more teams and consoles.
All of this is massively open to time lag and error. When speed is of the essence, we are at the mercy of processes and procedures, which may or may not be slick.
Some of this pain is taken away by the “one-click” report button that many solutions provide, although that still does nothing for the back-end investigatory processes.
Now back to the simulation for a moment. If you want to change human behaviour, this will not happen quickly, or universally. People take time to change and some will still click the link, or open the attachment, regardless. So you really need to ensure that your back-end security processes and team engagements are as slick as can be.
This does not paint the simplest of pictures, but that does not mean it is not a good thing. What, hopefully, it does serve to highlight is that simulations need to be multi-faceted. They need to factor in different threat vectors – not just email.
They also need to be operationalised. They need to work when an actual rogue email comes along. They need to be twinned with operational security processes, which include engagement with wider teams in IT, and may include suppliers. Training needs to be pertinent, and please, for the love of some higher being, mobile-friendly.
The desire should be that in raising awareness, we make it possible for one employee to protect the whole organisation. Swiftness and ease of reporting, coupled with seamless processes to investigate and remediate. Ideally, that would be measured in some way to show progress and also as a means of rewarding the vigilant user, whose actions helped to safeguard the organisation.
Too often, raising awareness through phishing simulation is a tick-box exercise that does little to actually raise awareness, unless it is done right – much like the pointless mandated security training that we force users to pay no attention to year after year, while patting ourselves on the back for a job well done.
With compromises on the rise, and phishing still being the prime entry point, you really need to look at the bigger picture than just phish your employees.