Staff Phishing Testing: Raising Awareness vs a Failing Concept

Ben Oster, Senior Product Manager, WatchGuard Technologies
Ben Oster, Senior Product Manager, WatchGuard Technologies

Raising Awareness

With new studies emerging on what seems to be a weekly basis discussing the pervasiveness and growing effectiveness of new phishing campaigns, it is beginning to feel like an uphill battle that cannot be won. Looking out on the security landscape, we see many awareness tools that can help to drive users to better understand the anatomy of a phish. We also see any number of tools designed to solve the problem, so your users do not have to think about it themselves.

In one recent study from Proofpoint, it was shown that nearly 66% of users now understand the basics of phishing and how these attacks can impact them personally as well as their businesses. Yet, phishing still ranks as the number one vector of attack for credential theft, and makes up nearly half of the root cause of malware and ransomware infections. How is it possible, if we have tools to educate and tools to prevent, we still haven’t been able to stop the dangers that phishing presents every day?

To me the answer is simple: we’re not using either of these tools properly. If it is true that users are educated but still falling victim to these attacks, and that tools to protect against these attacks are not always providing adequate protection, I believe that these tools need to be implemented in a more holistic way. We often discuss things that aren’t working as ‘the right hand not knowing what the left hand is doing,’ and we have such an example here.

Using a security awareness program to ensure that your users can recognize a phishing attack and are up-to-date on the latest attack vectors is essential to protecting data. Users are the single most important piece of a cybersecurity posture and must be educated. It may feel pejorative, but the example of yelling at the dog who ate your shoes when they didn’t have any toys and didn’t know the difference is a fitting one. Training, just like with a misbehaving pet, must start early and continue throughout their lifetime, or in our case, tenure. We are no different as people. Awareness of phishing has increased, but the knowledge level of changing threats must continue to evolve and that requires ongoing training.

Further to that, a true security awareness program is not going to be retained the way we want it to until we provide teachable moments. If you think of these not as an educational program, but as a learning opportunity based on an experience or attack that just occurred, we can provide a way to learn at a deeper level. Just like the analogy of the dog, when they pick up the slipper, say no and provide them with an alternative. We must provide these same experiences to our end users, and that’s where staff phishing testing can come into play. Combining an awareness program with a security tool that can do both is a powerful and, more importantly, empowering thing to our users and to us as infosec professionals. Don’t pretend you have never clicked on something you shouldn’t have!

So, how do we create these teachable moments? How do we stack the absolute necessity of education, with the equally important component of protection? In my opinion, the answer is that you stack the tools. When there is a detection of a phish or malicious attempt, layer in your awareness training. Show your users the toy. There is a lot of power in the ability to catch a mistake in motion and evidence that shows that when this education is provided in real time, the learning sticks in a more powerful way than when you teach the same content out of context. Take the opportunity of clicking on a phishing link to help that user learn from the experience without compromising your systems or having the user quickly and embarrassingly close the window without learning anything.

Making your phishing awareness program context-aware is paramount to the ultimate success and empowerment of our users. These are the people that come to work every day trying to make your business succeed. These are the people who are invested in that success. If we can give them even more power to protect the things that they are trying to build, they are more likely to learn from an experience and become a champion for the security of the business. Security awareness is critical to these people and these people are critical to you. Help them learn the best way they can, and they will help your business grow safely.

Ed Tucker, Co-Founder, Human Firewall
Ed Tucker, Co-Founder, Human Firewall

A Failing Concept

It is relatively common to hear of organizations using phishing simulations as a means to raising the security awareness of their employees. Commonly, a series of email tests to measure the rate at which users click or initiate the path to compromise. A standard measure here is the reduction in users who click links and attachments in simulated emails to demonstrate an improvement in awareness. As you would expect, the first simulation campaign receives a staggeringly high number of clicks that gradually reduces as tests become more frequent – but does this actually work?

Firstly, a lot of the campaigns undertaken only look at certain aspects of attempts to socially engineer the user into an action. These carry with them tell-tale signs like misspelling, poor language, impersonal greetings and then go deeper into lookalike sender addresses. They don’t cover aspects where, for example, the initial email is designed simply to elicit a response, to ensure that the recipient has a valid address and to build into what becomes an expected follow-up that is more likely to entice said user.

They also rarely measure users who do not interact with the simulation. Where they delete it or ignore it, or the mailbox is so full that they don’t even see it. As ridiculous as it may seem, even before this there can often be a need to whitelist parameters even to get the simulated email into the organization in the first place, which kind of defeats the object really.

When we are talking about the risk of email threats, we need to consider the layers that such emails have to penetrate just to reach the inbox. Negating those does not allow for a realistic scenario that the user is likely to face.

Secondly, although some of the simulations will increase their craft, they will rarely mirror the threat from spear-phishing, wherein the adversary will work hard to tailor their approach to the individual, using multiple sources of information to ensure the pertinence of their threat to that specific individual. That in itself requires another level of craft that is often ignored. Even then, when some organizations do try and target individuals, they usually do so on a perceived level of risk due to that individual’s position or influence rather than their actual level of risk. For example, they draw on the victim’s social media presence, role, project involvement, network, as well as their interests and hobbies that we as humans all too regularly share with aplomb.

Overriding any of this is the most common mistake I see being made, which is simply to define the actual outcome that is desired and why. Raising awareness should not be the goal. Consideration should be given to what greater awareness gives an organization and how that awareness should ideally manifest, recognizing also that not every user will achieve the same level of awareness, nor will that level remain constant. It will fluctuate constantly depending on circumstance.

Think about what an aware user should do. Should they delete any suspicious emails? OK, fair enough, but where you have multiple recipients of the same threat in your organization, which is highly likely, you are reliant on each in turn making a conscious decision of how to treat that threat, to which you hope each chooses to delete. Even in this outcome, from a risk perspective, you will be blissfully unaware of the threat they have each faced.

A far better outcome would be to develop a culture where an aware user reports something suspicious, which of course requires them to know who to report it to. This can be achieved by the one-click reporting functionality offered by a number of services. The simplification of reporting is paramount. Equally paramount is having the right processes and people in place to deal with those reports, to investigate them (which regularly involves very manual processes and more than one team) and then, of course, to treat them. All the while considering the demand those security people already have on their time, and how a culture of reporting will affect that. Reporting is great if you can act swiftly enough to negate the need for each user to take a positive security action. Make no bones about it, that is no mean feat.

That said, if you can marry awareness with reporting, simplicity of such alongside simplicity of security decision making and mitigating actions, then simulations are a great place to augment your other layers of control. On their own, simulations are little more than an artificial temperature check that do little to raise preparedness in a joined-up manner.

Most important in all of this is ensuring you close the loop by providing feedback to the reporting user. To inform them of the outcome of their action, without which, your culture of reporting will soon disappear.

What’s Hot on Infosecurity Magazine?