How to Create an Effective Anti-Phishing Program

People can become an asset to a business when they can detect and report suspicious phishing emails that bypass technologies designed to stop the threat. When people detect and escalate to security teams, they can help stop phishing attacks.

Successful anti-phishing programs are transparent, positive and foster a strong security culture across the business. They don’t focus solely on click rate, but instead on performing real-world phishing simulations based on actual business operations and threats. Successful anti-phishing programs also emphasize reporting, fast response, links to threat intelligence and metrics that demonstrate results over time. Lastly, an important factor is having management support to drive the program forward.

Anti-Phishing Program Fundamentals

Anti-phishing training helps organizations defend their business. Phishing is a common means for attackers to gain an initial foothold into businesses, and from there, are able to pivot, move laterally, maintain persistence and ultimately exfiltrate data.

When getting started with an anti-phishing program, consider a more overt, rather than covert approach, and explain to employees what is being done and why. Some companies first try to gauge how bad the problem is and perform an assessment without announcing the program’s intent and expectations. Transparency also allows employees to understand not just they way, but also what the InfoSec team expects.

Consider a positive framework to get started. If your anti-phishing program starts off with a downbeat message (e.g., “this is a compliance requirement” or “there may be repercussions for failure,” etc.), it can potentially weaken the program before it even starts. Rather, we suggest trying to empower people to become more successful. Show them the role they play and their value in protecting the business.

Changing employee behavior starts by creating a security culture with C-level support in an effort to help ensure anti-phishing training receives the attention it deserves. Programs of this type needs to be taken seriously or the program or could potentially run the risk of losing momentum.

At the start of any anti-phishing program, as well as over its lifetime, consider including the following stakeholders:

• Management
• Corporate communications
• Security incident response/operations
• Help desk
• Human resources (HR)

Employees should feel empowered. If they believe they are helping the company and making a difference, as opposed to simply taking a test, they will likely be more engaged. Empowering them and making them feel important to the success of the business can provide a boost to your anti¬-phishing program and result in an engaged workforce committed to organizational security.

Build a Custom Baseline

The purpose of the baseline is to assess what the business does in its organizational practice. Look across the organization at the technology in place, the primary business sector and the business operations employees follow. If emailing PDFs or worksheets is a common practice for expense reports or something similar, baseline to this. This is what the business does and what employees expect. It is also what attackers will model. Use this information in your simulations versus using simple, generic phishing simulations that don’t model threats the business faces.

Look for susceptibility trends, especially related to business practices. This could pose a real phishing risk and it can help you uncover your risk profile. You may find that 40 percent of employees open phishing email PDFs related to expense reports, while only 10 percent click on phishing emails containing a holiday greeting card. Focus on creating most of your testing emails around those more successful themes. Then, from time­-to-­time, try mixing in other variables such as payroll or benefits tests, special promotions or world events.

Over-Focusing on Click Rate

Often, organizations focus too much on click rate. While no program wants to see a high click rate, it is also not the key indicator of program success. If a company wants to drive its click rate down, it can overly simplify the simulation to something users are more likely to spot. But that’s not indicative of a real-world attack, and it ends up leaving the organization less safe/prepared, not more.

There are bound to be people clicking simulations. However, over time and with repetition, the program will mature and employees will become more resilient.

Reporting Is Essential

As employees are being conditioned to recognize and report suspicious phishing emails, reporting helps the security team find weaknesses in their technical controls. The fact that a suspicious email made it to the inbox and the employee recognized and reported it is one of the reasons phishing simulation is practiced. You want employees to not click, and also report the suspicious email to the security team.

To reach that goal, we suggest making reporting easy. If it’s easy, people are more likely do it. Enable phishing reporting within the email client, so employees just have to click to send the email to an abuse box for analysis by the security team.

Even if an employee clicks on a simulation or a real phish, require reporting anyway. It still demonstrates employees know what to do. Think of it this way; if an employee falls for a real phish, realizes what happened and reports it, the security team can get a copy of the email. Make sure employees realize they should always report it, even if they clicked on a simulation.

Ensure a Quick Response

Good anti-­phishing programs realize every employee that reports a potential phishing email is like a sensor on the network, and those reports need to be reviewed quickly and effectively. This will help ensure the same attack isn’t happening elsewhere, but if employees don’t receive timely feedback, they will be less likely to continue the desired behavior.

Effective incident response (IR) allows threats to be analyzed quickly, and for teams to act quickly. Otherwise, the security program may not advance as it should.

Once employees report a suspicious email, IR should:

• Provide feedback to reporting employees. At a minimum, IR should thank them and later follow up if the suspicious email is in fact malware.
• Analyze the reported email through various technologies available. Then, if the email is found to be a credible threat, teams can take action with countermeasures and hunt for compromised hosts and accounts.
• Perform a postmortem. The team should go back and analyze weaknesses in the infrastructure to determine what was done well and what can be improved.

Again, as part of this, collect data and reporting information, and don’t forget to use these real­-world examples for templates for future phishing simulations.

RELATED CONTENT: 10 Ways to Identify a Phishing Email

Phishing Simulation Best Practices and Scenarios

What are phishing simulation best practices and scenarios to consider as a part of the program? Areas to focus on include:

• Real-world scenarios: Base your scenarios on what is happening in the world and the company today. Working with your security operations center (SOC), IR and threat intelligence teams, identify real world phishing attacks seen in the wild by the security teams. For example:
  • Credential phishing
  • Business email compromise
  • File-sharing sites in the cloud
  • Ransomware-based, including malware attachments and links (drive-by downloads)
  • Scenarios based on the industry sector and business context
• Business vs. consumer scenarios: For example, SMiShing and Vishing still primarily target consumers, not enterprises. It’s better to focus on business risk scenarios.
• IR and intelligence: When real phish are reported, ensure they make it to the SOC/IR teams to incorporate into defenses. Employees should be adding intelligence for security teams to use.
• Targeting: Pay special attention to high-value targets, such as HR, IT administrators, accounts payable, sales and management.
• Training vs. punishment: Some organizations take a punitive approach when users fail to recognize/report phishing simulations, which could create fear and lack of trust. If employees fail simulations, work with them to get better versus naming and shaming or punishing.
• Cadence: Consider sending scenarios to employees every six weeks (meaning one or two per quarter). Also, when employees click on a simulation, consider increasing the frequency and backing it up with supplemental education to help them learn.
• Inclusion: Consider including the entire company in the program including senior management to help ensure top-down support for the program. Additionally, attackers target leadership, so management should be included in simulations.
• Metrics and reporting: Focus on tracking improvement over time. For example:
  • Increase in reporting
  • Reduction in susceptibility
  • Reduction in employees who clicked in the past
  • Improvements in SOC/IR response time to real phish
  • Reduction in IR costs

Even if the click rate goes higher, don’t be discouraged. It is indicative of the need to simulate more and prepare against attacks happening in the wild. This is better than having a false sense of security due to sending simulations that are too simple and make the program appear deceptively strong.

Anti-Phishing Program Success Factors

Anti-phishing is a journey, not a destination. Mature programs work to bridge the gap between the security awareness team and the SOC/IR teams. The two should work hand-in-hand, with technical teams providing real-world phish that can be simulated to test employees, and reported suspicious emails providing SOC/IR teams with new intelligence so they can implement better controls and hunt for additional compromise.

The biggest success factor is having management support to drive the program forward. Using the above practices will help keep the program on track and ensure your organization becomes more resilient to the threats you face, regardless of size and industry.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.