Phishing is on the rise.
The latest numbers show that 83 percent of cybersecurity teams experienced phishing attacks last year, up from 76 percent in 2017. The techniques are becoming more sophisticated, moving away from executable code in attachments to sharing infected links via social media, text, and ever-more-clever emails designed to look like they’ve come from reputable organisations.
If employees can be trained to spot phishing attempts as they happen, the risk of a security breach diminishes. The same report noted that companies with a security awareness training — nearly 60 percent — saw an increase in detection when staff had been trained to recognise potential attacks.
As we noted in a previous post, training is essential to minimising the insider threat, and simulations are a highly effective way to create teachable moments that increase retention and sensitise people to possible risks.
What is a phishing simulation?
Phishing simulations are fake attacks designed to help employees understand the different forms phishing can take so they are more likely to avoid clicking malicious links or inadvertently leaking sensitive data. Security teams create their own artificial phishing emails and/or webpages then send them to employees. The objective is to observe people’s reactions and measure behaviours in real time.
Done right, simulations can quickly raise risk awareness and give security teams important baseline metrics – e.g. what percentage of the workforce caught the phishing attempt and what percentage didn’t —that they can work to improve on over time.
Employees get to experience a phishing attack in the wild, but without any of the risk. They’re also given a chance to improve their security behaviour in the context of their day-to-day duties.
But the way simulations are executed can impact their effectiveness. Poor planning and uninformed assumptions can skew results or make it less likely that staff see the exercise as worthwhile. To get the most out of simulations there are a few common pitfalls to avoid.
How to dull the effectiveness of phishing simulations
Make them too challenging.
Sometimes training is based on mistaken assumptions about how much employees already know about phishing. This can lead to simulations that are ‘too good’, built with an insider’s knowledge of the organisation, and which most employees fall for. If the bar is set too high, employees may well ask if they have been set up to fail or if the exercise was a form of entrapment – designed for shaming and blaming rather than improving outcomes.
Create poor content.
We’ve learned over time that people tune out potential learnings if the content of a simulation doesn’t match real world conditions. And if too much time is devoted to lengthy training materials, the likely result is boredom rather than learning. On the other hand if the content of a simulation is too top-line or generic, for example not reflecting the security risks or concerns of the sector they work in, employees won’t retain it.
E-blast everyone at the same time.
Hitting everyone on the same day at the same time might seem like a good way to test organisational readiness for a phishing attack, but in fact it can have the opposite effect.
The first employees to recognise the email as a phishing attempt will alert others. Word will spread across the organisation and the next people to open the email will be prepared for it, notifying IT but never actually exposing themselves to the email’s ‘call to action’.
How to get the most from phishing simulations
First, remember that email isn’t the only mode of attack. Simulations need to be run across all the relevant threat vectors, so using SMS, social media, and even voice – as some attempts at phishing and social engineering happen by phone.
Second, simulations should be backed-up with training. They will be more effective if executed as part of a larger programme designed to alter behaviour and empower teams to recognise threats independently.
Simulation design should also consider how employees address security and privacy issues at home, and emphasise the skills and know-how an end user might employ to protect their families or secure their own personal cyber space.
Finally, don’t over-do it. Making employees phishing-aware shouldn’t happen at the expense of smooth and efficient operations. Show the threat in proportional to the risk, otherwise people may learn to fear their own in box, or have IT checking every email from an unknown sender.
So, is it worth it?
In a word – yes.
Real-time phishing simulations have proven to double cybersecurity awareness retention rates over more traditional training tactics.
Empowering your employees won’t happen overnight however. Simulations need to be part of a broader programme of security awareness training where the focus is on showing instead of telling. Done right, they are a great way to strengthen security-aware culture, and provide employees with tangible, real-life scenarios to better understand their own security instincts.
Want to learn more about empowering your employees’ security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.