Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
People can become an asset to a business when they can detect and report suspicious phishing emails that bypass technologies designed to stop the threat. When people detect and escalate to security teams, they can help stop phishing attacks.
Successful anti-phishing programs are transparent, positive and foster a strong security culture across the business. They don’t focus solely on click rate, but instead on performing real-world phishing simulations based on actual business operations
and threats. Successful anti-phishing programs also emphasize reporting, fast response, links to threat intelligence and metrics that demonstrate results over time. Lastly, an important factor is having management support to drive the program forward.
Anti-phishing training helps organizations defend their business. Phishing is a common means for attackers to gain an initial foothold into businesses, and from there, are able to pivot, move laterally, maintain persistence and ultimately exfiltrate data.
When getting started with an anti-phishing program, consider a more overt, rather than covert approach, and explain to employees what is being done and why. Some companies first try to gauge how bad the problem is and perform an assessment without announcing
the program’s intent and expectations. Transparency also allows employees to understand not just they way, but also what the InfoSec team expects.
Consider a positive framework to get started. If your anti-phishing program starts off with a downbeat message (e.g., “this is a compliance requirement” or “there may be repercussions for failure,” etc.), it can potentially weaken
the program before it even starts. Rather, we suggest trying to empower people to become more successful. Show them the role they play and their value in protecting the business.
Changing employee behavior starts by creating a security culture with C-level support in an effort to help ensure anti-phishing training receives the attention it deserves. Programs of this type needs to be taken seriously or the program or could potentially
run the risk of losing momentum.
At the start of any anti-phishing program, as well as over its lifetime, consider including the following stakeholders:
Employees should feel empowered. If they believe they are helping the company and making a difference, as opposed to simply taking a test, they will likely be more engaged. Empowering them and making them feel important to the success of the business
can provide a boost to your anti¬-phishing program and result in an engaged workforce committed to organizational security.
The purpose of the baseline is to assess what the business does in its organizational practice. Look across the organization at the technology in place, the primary business sector and the business operations employees follow. If emailing PDFs or worksheets
is a common practice for expense reports or something similar, baseline to this. This is what the business does and what employees expect. It is also what attackers will model. Use this information in your simulations versus using simple, generic
phishing simulations that don’t model threats the business faces.
Look for susceptibility trends, especially related to business practices. This could pose a real phishing risk and it can help you uncover your risk profile. You may find that 40 percent of employees open phishing email PDFs related to expense reports,
while only 10 percent click on phishing emails containing a holiday greeting card. Focus on creating most of your testing emails around those more successful themes. Then, from time-to-time, try mixing in other variables such as payroll
or benefits tests, special promotions or world events.
Often, organizations focus too much on click rate. While no program wants to see a high click rate, it is also not the key indicator of program success. If a company wants to drive its click rate down, it can overly simplify the simulation to something
users are more likely to spot. But that’s not indicative of a real-world attack, and it ends up leaving the organization less safe/prepared, not more.
There are bound to be people clicking simulations. However, over time and with repetition, the program will mature and employees will become more resilient.
As employees are being conditioned to recognize and report suspicious phishing emails, reporting helps the security team find weaknesses in their technical controls. The fact that a suspicious email made it to the inbox and the employee recognized and
reported it is one of the reasons phishing simulation is practiced. You want employees to not click, and also report the suspicious email to the security team.
To reach that goal, we suggest making reporting easy. If it’s easy, people are more likely do it. Enable phishing reporting within the email client, so employees just have to click to send the email to an abuse box for analysis by the security
Even if an employee clicks on a simulation or a real phish, require reporting anyway. It still demonstrates employees know what to do. Think of it this way; if an employee falls for a real phish, realizes what happened and reports it, the security team
can get a copy of the email. Make sure employees realize they should always report it, even if they clicked on a simulation.
Good anti-phishing programs realize every employee that reports a potential phishing email is like a sensor on the network, and those reports need to be reviewed quickly and effectively. This will help ensure the same attack isn’t happening
elsewhere, but if employees don’t receive timely feedback, they will be less likely to continue the desired behavior.
Effective incident response (IR) allows threats to be analyzed quickly, and for teams to act quickly. Otherwise, the security program may not advance as it should.
Once employees report a suspicious email, IR should:
Again, as part of this, collect data and reporting information, and don’t forget to use these real-world examples for templates for future phishing simulations.
RELATED CONTENT: 10 Ways to Identify a Phishing Email
What are phishing simulation best practices and scenarios to consider as a part of the program? Areas to focus on include:
Even if the click rate goes higher, don’t be discouraged. It is indicative of the need to simulate more and prepare against attacks happening in the wild. This is better than having a false sense of security due to sending simulations that are too
simple and make the program appear deceptively strong.
Anti-phishing is a journey, not a destination. Mature programs work to bridge the gap between the security awareness team and the SOC/IR teams. The two should work hand-in-hand, with technical teams providing real-world phish that can be simulated to
test employees, and reported suspicious emails providing SOC/IR teams with new intelligence so they can implement better controls and hunt for additional compromise.
The biggest success factor is having management support to drive the program forward. Using the above practices will help keep the program on track and ensure your organization becomes more resilient to the threats you face, regardless of size and industry.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.