Phishing simulation training is a staple of many security awareness programs. In the latest State of the Phish annual research report by security company Wombat, 76% of information security professionals reported that their organizations were victimized by phishing. It is also big business. The firm Cybersecurity Ventures is predicting that “global spending on security awareness training for employees is predicted to reach $10 billion by 2027.”
As the cat and mouse game continues, hostile actors have improved their tactics by impersonating business partners and government agencies which has forced organizational programs to retool their programs as well. Some companies with more mature awareness programs have even evolved to include phishing simulation campaigns on regular intervals targeting various segments of an organizational population to ensure proper testing penetration and effectiveness.
However, one area of phishing simulation training that may not have matured is the end game. Once the metrics are analyzed, what do you do with the repeated clickers? Common follow-up actions include additional training and notification to management. In many cases, no action is taken at all.
There could be multiple reasons for this such as not wanting to embarrass employees, push something that could be counter to the company culture or lack of resources to track and monitor any follow-up actions.
This presents a large gap in the training cycle and puts the organization at risk. Especially since according to a report by security software company PhishMe, 91% of cyber attackers were initiated by a phish. This is primarily due to the fact that it is such an attractive attack vector for hackers. Furthermore, if employees ultimately know there will not be any consequences to their action, why would it improve? Employee accountability stems from enforcement and if needed, escalation, otherwise, phishing simulation training has minimal value.
Ultimately, to fix the problem, it boils down to the tolerance level for failing the exercises and understanding the importance of correcting the behavior. Implementing a formalized escalation process for test failures would help to complete the life cycle for the phishing simulation training program.
Here is an example of how an escalation process would run during a 12 month period assuming multiple campaigns are conducted.
Isolated or Rare Occurrence
This could include the first and second incidents. Administer just-in-time training that would trigger as soon as soon as the employee failed the test (e.g. clicked the link, opened the email attachment). The training would consist of anti-phishing best practices and what red flags the employee should have spotted in the test email.
Continual Behavior
This is the third incident: the employee will be required to complete a phishing basics training course in a learning management system. This would include understanding the types of phishing used by hackers, tips on spotting suspicious things such as URLs, unknown senders, attachments and message contents.
Disciplinary Intervention
Upon the fourth or fifth incident, the employee’s leader will have to be actively involved in the performance improvement process. This includes coaching the employee on email security best practices and developing an action plan to improve performance on future testing.
Key Considerations
- Support from executive management is critical to ensure the process has “teeth” to it.
- Need to have a willingness to follow-through. Since this is a behavior changing activity, sticking to the escalation process shows that this is taken seriously.
- Consistency. Once implemented, the process needs to be executed evenly to everyone in scope. Also, tying it into existing information security policies and procedures will help give it additional clout.
- Communication. Employees need to be made aware of the new process, what the expectations are, what the consequences of non-compliance include and when it takes effect.
As with any approach, once the process has been documented, approved, implemented and socialized, certain considerations may need to be taken into account. For example, employees who continually work with outside vendors may need more flexibility that a department that may not have as much external contact. Another option in a case like this could be to implement a compensating control such as enhanced email filtering.
Ultimately, the leader is the one who should be held responsible for the actions of their employee. Threats of termination or suspension of the employee may cause unnecessary stress and could lead to overly cautious behavior which could have a negative impact on job performance. Another way to keep the leader engaged is to have them also take a phishing basics course if their employees are forced to take it. Skin in the game never hurts.