In today’s corporate world, security awareness training should be a common puzzle piece in general user onboarding and on-going staff education. With that training, regular testing should also be part of that puzzle. There are many variations in the types of programs offered at companies, so that means not all phishing programs are created equal.
Phishing should be a staple component in any security awareness program, since phishing attacks account for some of the most notable breaches reported, think about Target, the DNC, Anthem, you get the point. According to one report, 76% of organizations say they experienced phishing attacks in 2017. So, if you already have phishing training in your security program, how are you testing your employees to see if that training is actually working?
Testing Takes Time and Resources
If you have an in-house phishing program, we hope you have a dedicated resource running it. It can, and should, be a full-time job to get accurate data from your tests which should then be applied to your training. There are lots of solutions out in the market to run your own phishing program, I will leave that search up to the reader. It should be noted that just because it can be cheap and maybe even easy to set up an in-house phishing platform, running it effectively is a whole different story.
Just sending phishing emails out to users and counting click rates is a small percentage of the data you could be gathering which would give you a much clearer idea of your actual vulnerability. Also, sending the same phish to all your users may give you a false sense of security. The same lure that affects accounting may not affect HR or the warehouse. All of these aspects have to be considered to gain an accurate picture of the specific attack surface for your company.
Sophistication and Themes
At SECOM, we run a number of our clients’ phishing programs and provide data to help them better adapt their security training to current threats. The concept of varying sophistication levels comes from the book Phishing Dark Waters, which talks about the difference between the classic 419 scams, the ever-increasing BEC scams, and very specific spear-phishing attacks. The sophistication levels are completely different, but also the target audience should be different. That is a very important point of emphasis.
It is unlikely the warehouse employees will fall for a message from the CEO asking them to wire money to a new client, but accounting might. Likewise, the marketing department may not fall for a DocuSign email but legal might.
Much like you need to tailor your training to the audience as mentioned in a previous SECOM blog, the testing should be as well. When attackers target your organization, they may start out with a wide net and go after everyone, but most likely they will target specific departments, or even specific users, with custom attacks geared toward convincing that user or group of users to take a very natural and even common action.
This is where varying your sophistication level of your phishing emails really comes into play. You can get a baseline of your entire userbase with a very simple theme and execution to see how many fall for the lure, then you can increase the difficulty on users who are more security-aware until all your users are acting according to your (hopefully) published and clear policies on what to do when they encounter fraudulent emails (hint: reporting). It should also be clear to the users that, even if they fall for a phishing email, reporting it is required, expected, and will not result in negative ramifications for the user. If they feel safe reporting incidents to security staff your reporting numbers will increase which will result in faster remediation and awareness of ongoing attacks.
So, understand that not all phishing programs are created equal but know that with the right amount of effort and attention any phishing program can deliver a return on investment very quickly and secure your company and its data.
If you’d like more information on how to secure your organization with Social-Engineer’s patented Phishing-as-a-Service (PHaaS) program, Call 800-956-6065 or email: [email protected].