How to use phishing testing
After a short discussion on twitter last week about phishing testing I thought I’d write a short piece on why I think it’s valuable and how we do it. You can read the twitter thread here – as you’ll see it started with the question as to whether people should be fired for failing multiple phishing tests. For the record, I think that’s a bad idea. As I noted I did once visit a company (some years ago now, and I was just being given a quick tour of their SOC) who told me they did this – three strikes and you’re out. It may or may not have been true, but I was quite surprised, not least as doing your own phishing was a pretty novel thing at the time.
Anyway, again to be clear, I think it’s a bad idea. Having people live in fear of security breaches or the security team is a poor idea generally and firing them for failing tests makes things worse.
Cyber security awareness training however is invaluable. I agree completely that it is down to companies to ensure they implement technology in the most secure way possible (e.g. using two factor authentication, encouraging password managers, keeping software up to date etc.) but the reality is lots of hacking (and more generally, fraud) has a strong ‘targeting people’ component. Add that to the fact that your staff will have their own smartphones and laptops on which they may access company information, or they may use personal online accounts (Facebook, twitter, LinkedIn etc all of which could be a vector for the compromise of your organisation) on your devices, and ensuring people are at least au fait with some common techniques used to persuade them to do the wrong thing is a smart idea.
Our awareness training sessions focus on a small number of behaviours that genuinely help people stay more secure. In no particular order these are;
- Never enter credentials if you click on a link in an email and end up at a login
- Enable 2FA on everything you can
- Unique passwords are vital. I encourage the use of a password manager, but also writing passwords down is acceptable (if you do this I recommend creating the unique passwords using the three random words technique)
Those are the key points, although I would typically cover a broader set of topics overall, tailored for the target audience. I think it’s best to make awareness sessions no more than an hour, and I think they should be empowering. People typically come in having no idea how hackers operate and (hopefully) leave with an understanding of how they may be targeted and, more importantly, what they can do about it. I personally like to use real life examples of phishing emails and other frauds to show people some typical social engineering techniques – how hackers and fraudsters play on urgency, and fear of loss. It can also be useful to cover some of the techniques used by adversaries to gather information and create more targeted phishing emails. I would also use awareness sessions to tell people that you run phishing tests, what to expect and reinforce they won’t get into trouble.
So bringing us full circle – where does phishing your own staff fit into awareness training? Awareness building has to be a process – you can’t do it once and forget. You need to train new staff, and remind people of things they might’ve forgotten etc. Properly done, phishing tests are a great way to support that. Firstly, to repeat, they should be no fault, and it must be clear to anyone who falls for one that they are not in trouble. If they click the link and enter credentials, have them land on a page saying tell them they have been phished, but it’s all ok, and while they’re here to take a minute to review the key learning points. They can also be a useful opportunity to see if anyone remembers to report suspicious email (if you’ve encouraged people to do that).
Finally I think phishing tests stand as a reminder that the security team (or person!) exists, and I don’t mean that in a scary, always watching sort of a way. Security teams often don’t have a high profile, or are seen as the people who always say no. Phishing tests can be a reminder that you’re there, doing your job, protecting the organisation and encouraging your co-workers to their best to do the same. If nothing else they should encourage vigilance.
That’s a short ramble through why I think awareness training in particular is important, and why doing your own phishing can be useful. We have more information about our training services here. If you’re interested in us helping you, please get in touch. We will work with you to deliver training that is appropriate for your organisation, whether you decide you want the phishing bit or not!
Thanks for reading