Intro to Phishing Awareness Programs
What better way to kick off a cybersecurity website than by discussing phishing awareness programs? In this very first article, we’re going to be demystifying phishing awareness programs by breaking them down into components and discussing each so we can all create more effective and holistic programs. Let’s jump right into it!
The Purpose: Reduce Risks Working With Users
Ultimately, the goal is to reduce the risk of users clicking on, and interacting with, real phishing emails. However, I like to elaborate on this goal a bit and emphasize that it should also include identifying users who are phish-prone in a safe method so that we can provide follow-up training, answer questions, and provide clarification as needed which effectively reduces the risk of users failing on real malicious emails. The key takeaway here is that it’s our job as cybersecurity professionals to help our users become more phish aware!
Quick Notes
Many organizations tend to become overly focused on phishing awareness programs, sometimes turning them into complex, intricate, and hard-to-manage systems that end up working against them. Conversely, some organizations opt for only a few elements of a phishing awareness program, missing out on significant potential. While there's no universal phishing awareness program, the goal should be to develop a comprehensive, efficient program that doesn't require an excessive amount of time to maintain.
Primary Components of a Phishing Awareness Program
Stakeholder Buy-In: We Need It!
As with most things in business, it is crucial to secure the support of stakeholders and to sustain it in order to effectively carry out and oversee a phishing awareness program. The stakeholders we aim to involve in this process usually encompass the entire cybersecurity hierarchy, the broader IT department, and influential figures in top management such as the CEO, CISO, CIO, CCO, CDO, and similar roles with relevance in the IT domain.
To secure stakeholder buy-in, it is crucial to identify a cybersecurity champion among the stakeholders and engage with them to initiate conversations about launching a phishing awareness initiative. Having someone at an equal or higher organizational level can significantly enhance one's ability to persuade and gain support from others, particularly in certain global regions. Initiating dialogue with this individual can cultivate a strong relationship that is pivotal for successfully implementing the program across the organization and ensuring uniform adoption by all users. The way you move forward from this point can differ significantly. In my experience, focusing on numbers, financial figures, and statistics has been highly effective when communicating with stakeholders who are not IT experts and are mainly interested in the business aspects rather than technical details like phishing.
If you can speak their language and illustrate for them the risks and costs associated with actual phishing emails as well as provide statistics around how many users in your organization click on actual malicious emails, then compare that potential to the time and money you want to spend on a phishing awareness program, you will have a great start. Ultimately, you want to prove to them that implementing this program will be less costly and time-consuming than a successful malicious email could be - think estimating the ‘Return on Investment’ (ROI).
Phishing Simulation Campaigns
Onto more of the “meat” of this, phishing simulation campaigns are just that; you conduct a phishing campaign against your own users with safe emails that are modeled after actual malicious emails. This is important as you want to ensure you use relevant emails because these should serve as learning opportunities for employees in a safe and applicable manner. There are multiple platforms out there that offer phishing templates, and even a few AI platforms can help you craft phishing emails, but oftentimes the best place to get inspiration for these is from your organization’s very own spam or quarantine folders or from real malicious emails that your users have interacted with. Emails here are as real of examples as you are going to get for your specific organization, so you can ensure they are relevant, applicable, and occasionally targeted towards your organization.
When trying to determine when, how often, and how long a phishing simulation campaign should run, I’m going to give the default answer of “it depends”. You want to conduct a test frequently enough that you can identify phish-prone users and help them improve before a real malicious email is successful, but you don’t want to inundate their inboxes with fake phishing emails to the point where your time is being wasted, users ignore all emails, and everyone involved becomes very frustrated. In most cases, phishing simulation campaigns should run long enough so that not all users receive their emails at the same time as this can cause issues with tainting the test; if users start to notice a large number of their colleagues receiving similar emails, they are likely to discuss it with others which reduces the effectiveness of the simulation.
For a similar reason as to why you may not want to send all phishing emails at the same time, it is not recommended to use just one or two emails for a phishing campaign. Depending on how many users you have in your organization, you’ll want to have a few phishing emails that are sent at random to users so that not everyone receives the same email. People talk, especially when they are frustrated they failed a phishing test, so to limit the potential for these discussions to hinder our simulations, we need to use multiple emails in a campaign.
Notifying Users
Providing users notification of their failure is an absolute necessity, especially if your escalation process includes Human Resources at some point. Besides that, these are supposed to be learning opportunities, so we need to let our users know that they aren’t quite meeting expectations and work with them. One noteworthy item here from my experiences is that the sooner you notify a user of their failure, the less the chances are that they will come back to you and say they didn’t click on that link or attachment which can save you time digging into supposed “false positives”.
Escalation
Implementing a phishing simulation program is beneficial, but it is essential to ensure that users are taking it seriously and actively working to enhance their awareness instead of dismissing it as an insignificant effort. Phishing poses a significant risk to organizations worldwide, and it is crucial to communicate this risk and the importance of phishing awareness to users in a manner that is not easily disregarded. One effective approach is to establish an escalation matrix for handling phishing failures, although it is important to note that obtaining the necessary approvals from relevant authorities is imperative, depending on the desired structure of the escalation matrix.
When someone repeatedly makes mistakes, it is crucial to involve their manager(s), have a discussion about the issues, and provide them with appropriate training to address the errors. In cases where users significantly impact the company's operations, consequences may include temporary or permanent loss of email access, disciplinary action from HR such as a warning, or termination. It is essential to seek approval from the relevant authorities before implementing any disciplinary measures.
Live Phishing Awareness Training Sessions
Hosting live phishing awareness training sessions is an excellent way to reach users in an engaging and open way, but I would recommend hosting a few at varying times to accommodate different users' schedules depending on the size of your organization. It may also be beneficial to record a session of this and make it available to those who are unable to attend any of the sessions due to PTO, conferences, etc.
I found these live sessions to be hugely beneficial as users are more likely to ask questions. Then, when a question gets asked and the initial ice is broken, it often sparks questions from others which leads to an excellent opportunity to address questions, concerns, and curiosities from users, hopefully leaving them feeling more knowledgeable and vigilant. Requiring attendance at these training sessions for users who fail phishing tests can be a great component of an escalation matrix, and offering them as optional training sessions to all users can really help bolster phishing awareness across the entire organization.
Rather than hosting just an open Q&A session, these meetings should have a foundational structure and agenda to ensure that quality and beneficial information is covered. Discussing the potential damage of phishing emails, emphasizing the importance of phishing awareness, covering the tools you have in place for reporting potentially phishing emails, reviewing a few red flags to look for in emails, and even reviewing recent phishing simulation emails for their red flags can all be excellent topics to cover in these meetings.
Have Resources Available
It's crucial to emphasize that these incidents should be seen as valuable learning opportunities to reduce the risk of users engaging with a genuinely harmful email. A key aspect of this learning approach involves providing a wide range of resources and training materials that are easily accessible to all users. One effective method is to establish an intranet site dedicated to phishing awareness, featuring a recorded live training session on phishing awareness that users can watch at their convenience, guidance on identifying phishing emails, instructions on reporting suspicious emails, and examples of past phishing simulation campaigns with highlighted warning signs. Depending on the size of your organization, it may also be beneficial to provide contact details for the in-house phishing expert, as in some large organizations, most users may not be aware of whom to approach with their questions and concerns.
Some organizations have users, such as shop floor associates, who do not primarily work at a desk and have limited contact with their computers. While an intranet site and phishing awareness emails can benefit most employees, it is crucial to also target those with infrequent email interactions, as they may present a higher security risk. One great approach is to display phishing awareness posters in their common gathering areas, such as lunchrooms. The key is to rotate these posters regularly to ensure they capture users' attention, without allowing them to blend into the background and just be part of the wall. My recommendation would be to change the posters on a monthly basis as I have found this to be a great starting point.
Acknowledge and Appreciate Users’ Phishing Awareness
We want to positively reinforce phishing awareness, which can be done by acknowledging and showing our appreciation to users when they identify emails that are simulation emails or truly malicious emails. When sending out the failure notifications to users at the end of a phishing simulation campaign, it can help positively reinforce phishing awareness if you also send emails to users who successfully reported the phishing simulation emails. This can be a quick “thank you” and a short explanation of how being cautious can prevent a cyber incident.
Additionally, encouraging users to report any and all emails that appear suspicious can prevent a cyber incident from occurring. One way to do this is by implementing a ‘Phish Bounty’ program, which, at a high level, is a program that offers a reward for users who report emails that are found to be malicious. The reward could be a small gift card, a few hours of PTO, lunch paid for by the company, or any other reward that would be given to one or a few users each month who reported a malicious email.
Example of a Phishing Awareness Program
You’re probably thinking, “all of this information is great, but what does a program actually look like?”, and we’ll give you an example to bring this all together:
The Phishing Simulation Campaign
Each month, a phishing simulation campaign starts in the first week. The campaign spans over 3 weeks and offers users 3 email choices that they may receive randomly at any time during the campaign.
Notifying Users
Users who report a phishing simulation email successfully should be promptly informed about their successful report and thanked for their vigilance. In the event that a user fails a phishing email, they should be notified promptly, and the necessary escalation should be implemented according to their phishing history.
Escalation
Escalation is determined based on a rolling12-month period, enabling the display of a proven track record while also providing leniency when users stop interacting with phishing emails.
Email Notifications | Required Attendance | HR Actions | |
|---|---|---|---|
Tier 1 | User | Live Phishing Awareness Training | |
Tier 2 | User | Live Phishing Awareness Training & Additional training module of 5-10 minutes | |
Tier 3 | User User's Manager | Live Phishing Awareness Training & Additional training module of 5-10 minutes | |
Tier 4 | User User's Manager Manager's Manager | Live Phishing Awareness Training & Additional training module of 5-10 minutes | |
Tier 5 | User User's Manager Manager's Manager Executive Leader | Live Phishing Awareness Training & Additional training module of 5-10 minutes | Verbal Warning |
Tier 6 | User User's Manager Manager's Manager Executive Leader | Live Phishing Awareness Training & Additional training module of 5-10 minutes | Written Warning Potential temporary or permanent revocation of email access |
Tier 7 | User User's Manager Manager's Manager Executive Leader | Live Phishing Awareness Training & Additional training module of 5-10 minutes | Potential for termination |
Live Phishing Awareness Training Sessions
The phishing simulation campaign is scheduled for the first three weeks of the month, leaving the last week available for recurring phishing awareness training sessions. To accommodate various schedules and ensure users have ample time to respond to the invitations, live training sessions can be held on Thursday and Friday mornings and afternoons this week. Typically, half an hour is usually enough for these sessions, but this can be just a starting point for some.
Have Resources Available
A SharePoint site that has:
A recording of a Live Phishing Awareness Training Session
Links to additional training opportunities
The latest tips & tricks for spotting phishing emails
All previous phishing simulation emails with their red flags pointed out
Contact information for the Cybersecurity Team
Acknowledge and Appreciate Users' Phishing Awareness
Users who successfully report actual phishing emails will receive similar notifications as those who report phishing simulation emails. Additionally, these users will be eligible for a monthly drawing for a $25 gift card, awarded to the user whose reported email has the most significant positive impact on organizational security.
Summary
Phishing awareness programs are essential for helping organizations protect themselves from deceptive email attacks. This blog delves into what these programs entail, including their purpose and key components. It covers how to create a successful phishing awareness program, from developing training content to implementing engaging activities. By understanding the reasons behind each element of the program, you can positively promote phishing awareness and create effective learning opportunities. The goal is to significantly reduce the likelihood of users falling for phishing scams by equipping them with the knowledge and skills to recognize and respond to these threats. It is our job, as Cybersecurity professionals, to work with our users to accomplish this goal together.
Comments