The joy of phishing your employees

The joy of phishing your employees

Many companies set up phishing test programs for their employees, often as part of a compliance requirement involving ongoing employee education on security topics. The aim of these programs is to train employees on how to spot a malicious link, not click it, and forward it on to the appropriate responder, but most of these programs do not meaningfully achieve this. Let’s take a look at some common pitfalls and how to step around them.

You’re annoying your employees

Click-through rates on a real phish average between 10 and 33 percent of untrained users, depending on which security vendor you ask. But test phishes are sent to everyone, indiscriminately, taking time and energy away from those who are more or less doing the right thing already.

And while an organizational baseline is useful, and compliance can mandate a certain degree of repetition, repeatedly testing all employees without any sort of targeting can create a certain degree of security blindness on their part. There’s also often a lack of real-world tactics on the part of the tester due to a need to hit large quantities of people at the same time.

A better solution is to conduct infrequent, all-hands tests as a baseline, then take a look at your failures. Do you have clusters, and where are they? What job function is most common in the failures, and how does that map to overall security risk? A repeated failure in Marketing has a different impact than one in Finance.

With a good grasp of where your risk is, you can start focusing on problem areas of the organization with challenging, more frequent tests that use real-world tactics. While an all hands phish might be an untargeted credential harvester, a high-risk phish test might look more like a malicious invoice sent by a fake vendor to a select group in the Finance department.

You’re not including execs

Executives are frequently not included in enterprise security testing, most likely due to difficulty getting buy-in on a topic that some C-Suites view as esoteric. They also are a population most likely to engage in off-channel communications like SMS or bring your own device (BYOD) mobile mail using unsupported clients. However, executives—if successfully phished—can cause some of the most significant dollar losses to the organization than anyone else. While a single compromised credential pair at the ground level is typically a recoverable incident, business email compromise (BEC) aimed at an executive has caused up to $121 million dollars in single-incident losses.

Successful inclusion of executives in a phishing training program would involve spearphishing, rather than a canned phish. The key indicator of a well-formed phish is mirroring the tactics found in the wild, so your high-value targets require a high effort pitch. Make sure that your phish test vendor includes a markup editor to construct custom phishes from scratch so that you can alternate between a canned mass mailer and a laser-focused spearphish, as needed.

You’re not changing your approach

Just as security staff can get alert fatigue and start missing important alarms from their tooling, non-technical staff can get test fatigue and start associating threats with one particular phish format that you use too much. Best practice should include frequent rotation of pitch type and threat type; malicious link, malicious attachment, and pure scam threats present differently and have their own threat ecosystems that warrant their own test formats.

If you’ve been using your test failures to highlight problem areas, that’s a great place to start varying how you conduct your tests. A failure cluster in a Finance department would respond fairly well to attachment-based phish tests, with pitch text focused around payment themed keywords. Given that impact of a breach to that department would also be high risk, more frequent and more difficult tests give better outcomes over the long term. The key point is that phish tests are sensors for organizational risk and should be tuned for accuracy frequently.

You’re not using the data

Okay, so you’ve checked that compliance tick box, created a test schedule that ratchets in to your problem areas over time, and you’re running custom spearphishes against your execs. You can call it a day, right?

Hitting these marks can get you a large security advantage over other companies, but to really realize the full advantages of a security training program, you need to start sifting through the data that the program generates.

A great place to start is looking at where your failures sit. Are they evenly distributed, or do they cluster in particular departments? Are they individual contributors, or management? More importantly, which types of phishes do they click on most?

All of these questions can drive identification of high risk areas of the company, as well as prioritize which security controls should be implemented first. Rather than a top-down command approach, looking at the impact of a simulated attack can provide a clear view of where to start with a broader security improvement program.

If it’s not fun, you’re doing it wrong

Last and most importantly, this should be fun. The more creativity and variety injected into the process by security staff, the more effective the user awareness will be. And that doesn’t just extend to phish variety—user reports can and should be acknowledged at the organizational level.

Users can submit phish pitches, or preferred organization targets. Some phish test vendors even include stats broken out by department or manager that lend themselves very well towards friendly competition. Engaging employees beyond “Don’t do that” not only creates better security outcomes, but it tends to create better communication outcomes throughout a company.

Most corporate phishing programs do not meet their stated goals. The reasons for this can include overweighting compliance goals to the exclusion of others, complacency in test format, vendor choice making it tough to analyze data from the program, and failure to give dedicated resources to testing. These are largely avoidable if an organization shifts focus on their testing programs from a checkbox to risk analysis.

Overall, folding phish testing into a broader look at cyber risk can provide hard data that can drive security controls and increase organizational buy-in.

ABOUT THE AUTHOR

William Tsing

Breaking things and wrecking up the place since 2005.