Project Study: Better Phishing Protection
More leverage from Security Education and Awareness (SEA)
- Over $50,000 was saved by deflecting a single executive level phishing attack
- Behavior change: employees increasingly forward suspicious email to Service Desk. Serious attacks can be identified and greater damage can be avoided
- Behavior change: employees curbed the risk-increasing behavior of forwarding suspicious email to each other
- Significant improvement in Information Security (InfoSec) Awareness created wide-spread employee buy-in for two other major InfoSec Programs
- “I highly recommend Linda for any organization change effort. We couldn’t have accomplished all that we did, in the short timeframe we had, without her.” – CISO
- CISO expanded the successes into a chartered program for Security Education and Awareness (SEA) with multi-year goals, additional funding and dedicated staff
- Technology-driven phishing simulations were about to begin with little positioning among members of the audience
- Original plan was to implement out-of-the-box education using a brand name phishing simulation product
- Consultant recognized this opportunity to cultivate broader buy-in for other InfoSec programs and get better phishing protection with a design focused on deeper behavior change
- Started Phishing education campaign with an audience of 1,000 top executives and their administrative assistants together with all IT employees
- After one year the program expanded to 8,000 employees which went from the C-suite to the shop floor
- Five specific behavior change goals were identified and consistently reinforced
- Technology deployment was adjusted for better use of Gartner best practices and better use of adult learning models
- Audience communications enhanced built-in education for those who clicked on the phishing simulation
- Phishing simulations and the education for employees who clicked was highly tailored to adapt the out-of-the-box baseline to the client
- Employee feedback drove additional education modules outside of the phishing simulations (e.g. an interactive lesson on how to read a URL to determine which might be suspicious)
- Worked closely with Service Desk leadership both to put a human voice on the education effort and to leverage the opportunity for training of the service desk agents
- This and other InfoSec initiatives cross-referenced each other so employees at all levels could see the bigger picture reinforced
- Identified and leveraged existing resources including IT Service Desk, departmental newsletters and all-employee town hall events
- Gradients of difficulty were identified and used to calibrate the level of the challenge
- Additional education was considered for “Chronic Clickers”
- Containing collateral damage, that is unintended impact on departments such as shipping or human resources due to the nature of some simulated phishing emails, was made part of the planning process
- “Training should never grow stale or formulaic. Employees can be an organization’s greatest vulnerability. A key challenge is to convert this vulnerability into an asset by training employees to become the first responders—who recognize incidents and protect the organization.”1
- “Technology solutions, including end-to-end encryption, cannot eliminate cyber risk. More than 90 percent of successful cyberattacks are launched via spear phishing campaigns. Accordingly, creating a cyber-aware culture and providing training for employees are critical elements of cyber resilience. Many, if not most, cyber breaches trace back to human error. Accordingly, organizations must focus on their people and processes for addressing cyber risk. Cyber resilience must reside in the organization’s DNA, so it becomes an organizational imperative to protect and enable digital interactions.” 1
- “Companies can adopt all the technical measures they can identify in an effort to block socially engineered attacks arriving via email. They also can reduce their threat surface by reducing the number of open ports and services on Internet-facing systems. But given the increasing sophistication of phishing scams, the reality is that technology supplies only part of the answer. People matter, perhaps even more than technology.
Stopping the threat at the front door requires companies to foster a culture of security consciousness. This does not happen overnight. Minimizing – or even eliminating – human error will require companies to develop an information-focused security communications plan and stick with it. That takes persistence, patience, and time.
And this isn’t a task for the IT department.
Only the active involvement of top management can change the corporate culture and turn the pursuit of cybersecurity culture into more than a slogan. It’s up to management to reinforce the message that cybersecurity is a business objective.
If they succeed, then every employee will feel that they have a vested interest in protecting sensitive information. If they fail, well, you’ll probably read about the company in the not-too-distant future.”2
- Cyber Resiliency in the Fourth Industrial Revolution. 2016. Hewlett Packard Enterprise, FireEye, Marsh & McLennan
- Where cybersecurity & workplace culture intersect. Charles Cooper. AT&T insights CSO online. 2016