teissTalk: Phishing simulations – should you bother?

On 8 February, teissTalk host Tom Langford was joined by Paul Watts, Distinguished Analyst, Information Security Forum (ISF); Andy Rose, Board Advisor - Cyber Security, Menca; and Ben Wynn-Jones, Information Awareness Lead, Canon EMEA. 

 

Views on news

A new report from email security firm Cofense has delved into the most common themes in email phishing attacks last year. Of the major themes - the phishing emails with the highest volume - finance was the most popular, making up 54%. These emails were related to topics such as invoices and payments. Notification phishing emails, which are those related to password expiration, reminders, appointments, required actions and the like, came second with 35%. 

Phishing has been around for some time, but it’s so effective that criminals have stuck with it. We shouldn’t say that humans are the weakest link. It’s better to say that employees’ task is to deal  with the residual risk, and the bulk of cyber risk should still be managed by cyber-security experts, even if firewalls are now a thing of the past. Phishing is not limited to businesses but can target employees in their private lives as they bank, pay for a subscription or an order they’ve made. What training should focus on is the moment after reading the phishing email when potential victims should stop and think rather than rush into action. 

Making employees more resilient against phishing attacks

Falling victim to phishing is to a large extent due to the emotional processes of the mind working faster than the rational. So, one way of dealing with the problem is creating more emotionally resilient employees. Phishing messages are taking advantage of that rash, emotional part of the brain to trigger an emotive response. The more such messages one gets, the more resistant they will become to them. 

When designing phishing simulations, you must rely on common sense. You can’t make it too benign because criminals in real incidents don’t pull their punches either.  With phishing simulations, it’s also key to set the red lines and have a list of topics that are out of bounds. Focussing on near misses can be very helpful too. To leverage these cases, though, the security function has to create a culture where people dare to speak and share these incidents without the danger of getting sanctioned. However, statistics show that a negative consequence (a few strikes-and-out) model can be rather effective too. But make sure you don’t jump straight to the punishment model. This model can be especially difficult to implement in EU countries where there are work councils. Too much emphasis on speed at the workplace may result in employees rushing to complete tasks rather than examining the context. Using different metrics for measuring email response performance may help.

Security awareness professionals don’t have enough first-hand data at their disposal. There are a lot of things that they can’t see about password security or how employees treat confidential information. Most of the security professionals measure the same old metrics, so there is room for innovation in this space. But currently, how phishing is reported seems to be the best metric. It shouldn’t be just click rates that get reported to the board, but also what the next step should be. 

 

The panel’s advice

If a phishing simulation must go through the hands of many senior leaders, it may diminish its effectiveness or may not eventually happen. 

• Make sure phishing simulation emails don’t go out to your staff at the same time. Also, staff must be prepared for the simulation. Don’t spring one on them if they aren’t ready yet.  
• Don’t create your fishing programme in isolation. Bring the rest of the business on board.
• Get the CEO or other members of the C-suite to talk about the importance of always questioning messages that seem to have been sent by them.