There is a huge industry dedicated to phishing awareness and prevention with whole companies built on the concept of simulating phishing emails and tracking how employees respond. It’s a great step forward in terms of educating users and combatting cyber security threats, but the time is now ripe for a more progressive security strategy where the focus is not solely on click-through metrics but instead promoting a culture of reporting.
It’s much more about working with people to get the right things done, rather than scaring them into submission.
Switching up the metrics
The traditional approach to measuring the success of a simulated phishing campaign is based on studying the click-through and engagement rates as a measure of success - what percentage of employees clicked on the email and how many then submitted their details to a fake website? These are then used as ‘teachable moments’ to ensure phishing is front of mind so employees don’t fall prey to it again.
It’s an empowering process, as employees understand they have a role to play in ensuring the security of their organization, but also often results in standard across-the-board corporate training. The phishing simulation is then re-run at a later date and the metrics compared – in this instance, lower click-through and engagement rates make for a more secure organization.
As a measurement of success, this is a fundamentally flawed approach. The ideal result is to have a zero click-through and engagement rate but, realistically, this will never happen. There may be new employees who haven’t been trained, or it could be a case of the ‘Mondays’ where someone hasn’t yet had their required dose of caffeine! If a zero rate is the sole win condition, it’s going to be difficult to achieve – especially for any larger companies. Simply put, when success requires everyone to do the right thing every time, you’re unlikely to win often, or at all.
A more realistic goal – and one we find to be more effective – is not to focus on a click-through rate but to track the rate at which employees report phishing emails to their IT or security teams. This doesn’t require everyone to do the right thing every time, just one person doing the right thing one time!
If one person reports an email to the security team, they can then jump into action and work to understand the scope of the issue (e.g. did only one person get this email or many? Are the senders email addresses and IPs connected to other email received by the organization? etc). The team can remediate the attack by removing emails from inboxes on behalf of users to prevent them from interacting, or blacklisting the identified phishing links on the network or end-user systems so that even if they are clicked on, the users don’t get to the phishing site.
What can be more difficult is the issue of spear phishing, as these emails are specifically tailored to their recipient. However, encouraging an employee to report the email is still key as, whilst they can be harder to detect, they’re often indicative of a more sophisticated attack.
Promoting a positive security culture
Phishing is a human problem, and if you’re trying to approach a human problem from a technological perspective, you will not succeed. This strategy is about understanding where security comes from and encouraging employees to buy into the process, rather than putting barriers in their way. This goes hand-in-hand with having an IT/security team which is approachable, and will thank someone for reporting an issue rather than berating or belittling them.
For example, there are tools and techniques designed to educate and empower employees by helping them determine whether an email is legitimate or not. One such tool is the open source ‘IsThisLegit’, a dashboard and Chrome extension which makes it easy to receive, analyze and respond to phishing threats. Encouraging employees to use such tools is part of democratizing security and helps them play a bigger role in protecting the workplace.
Every organization already has a security culture, but building a meaningful culture requires buy in from everyone, not just the security team. Security is hard-fought and easily lost, but by encouraging a transparent and blameless reporting culture, organizations can protect themselves from phishing attacks, both now and in the future.