Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

3 Pillars for Security Awareness Success


“Are your staff going to be your greatest risk, or your greatest assets?”

That was the question posed by Damian Grace, General Manager of Phriendly Phishing – the comprehensive email security awareness program developed by Shearwater Solutions.

The modus operandi of those intent on harming your organisation has changed.

With the focus shifting away from hacking into network or web applications, principally due to significant advances in cybersecurity over recent years, human error is now the soft underbelly of many organisations.

Recently we’ve witnessed a marked uptick in email phishing, ransomware and malware, all designed to trick your staff into opening the wrong attachment or clicking the wrong link. Never have people been so under attack as they are now, with cyber-attacks ramping up across the board.

All it takes is one mistake and hackers, with the intent of stealing your confidential data assets, will have compromised your computer systems.

The impact on any organisation can be devastating – which is why every organisation requires a security awareness culture.

Only by inculcating your staff with a deep understanding of the threat profiles your organisation faces, and crucially, the role they need to play in mitigating those threats, will you begin to ensure your protection.


Change starts from the TOP

As an IT Manager, CTO or CISO, it’s imperative you persuade upper management to embrace a change in corporate culture. To achieve that, you need to understand what it takes to become an influencer within your organisation.

We know change is never easy. Especially the sort of long-lasting change that’s required to cultivate a security awareness culture. Grace likens it to pushing a big rock. At first the challenge seems insurmountable. But once you begin pushing and momentum builds, the task becomes easier.

While many stakeholders may initially be reluctant to embrace the sort of behavioural adjustment required to achieve a more robust cybersecurity posture, the task will be made easier if everyone involved understands the context.

Your entire staff, from top to bottom, needs to understand the reasoning behind the changes you’re seeking to implement and why it’s of critical importance to the organisation.

That’s why your most important initial task is to get upper management embracing your initiatives and leading the way.


Assess your current Learning Culture

Begin with a frank assessment of the learning culture currently existing in your organisation.

Even before commencing, you can determine how successful your attempts at cultural change will be based on existing attitudes. Our experience with Phriendly Phishing shows that non-mandatory training completion rates vary dramatically based on the learning culture that exists within an organisation.

TYPICAL NON-MANDATORY COMPLETION RATES BY LEARNING CULTURE

Learning Culture Completion Rate
Low or No Interest 40%
Indifferent 55-70%
Highly Engaged 80% +

If there is little to no interest in learning and acquiring new skills, unfortunately your task will be challenging. Luckily, among respondents to our poll, only 4% reported having a “no interest” culture.

By contrast, if your staff tends to be highly engaged and eager to expand their knowledge and embrace new strategies, your task will be much easier. With 27% of our poll respondents reporting a highly engaged workforce, that’s definitely good news.

However, by far the largest cohort of our poll respondents, in excess of two thirds, report an indifferent culture when it comes to change. This indicates the workforce will embrace change if required, but don’t seek it out otherwise. Whilst you will experience challenges changing the culture in such an organisation, you shouldn’t expect to receive too much intransigence or resistance. With a bit of effort, you should be able to achieve the results you want.

3 Pillars for Security Awareness Success Poll01

Whether your workplace shows no interest, is highly engaged or indifferent to learning, none of this is set in stone. With the right leadership, spearheaded by senior management, everything can change for the better.


Three Pillars to Create Strong Foundational Change

When considering how you can best enhance cybersecurity awareness in your organisation, it helps to focus on the following three pillars to ensure the new culture you’re cultivating is built on strong foundations:

Pillar 1: LEAD
Be a route or means of access to a particular place, or in a particular direction.

Real change starts from the top.

While you understand the importance of cultural change in reducing the organisation’s exposure to risk, upper management may not be sufficiently technologically literate to grasp the significance of what you’re proposing. However, it is vital to get their full support if your initiative is to succeed. This is to ensure your initiatives aren’t stymied by those within the organisation who may be resistant to change.

Following these 4 steps, you’ll stand a good chance of successfully persuading upper management of the necessity of your initiatives:

  1. Drive awareness by providing evidence to senior executives of the impact an organisation’s culture has on its bottom line.
  2. Demonstrate the impact your changes will have on the organisation by focusing on outcomes. By learning to translate “IT-speak” into “business-speak”, you’ll be able to align your initiatives with business metrics in a way that will be highly persuasive to upper management.
    Emphasise the costs of inaction. Ransomware attacks have the capacity to shut down business for multiple days, costing millions in lost data.
  3. Push to get agreement on moving forward with your change agenda.
  4. It’s vital to get firm commitments, preferably in writing.

While this process of persuasion won’t necessarily be easy, it is absolutely vital you lead the internal conversations within your organisation to get the commitment and support from upper management to succeed.

Engage by winning hearts and minds.

Traditional training methods are notoriously ineffective. Periodically pushing out highly technical information is not the way to engage people. That’s why it’s crucial you develop an effective plan that encourages people to embrace the project.

The training modules you use need to interests learners and be enjoyable. Importantly, you want to make sure people feel like winners.

Don’t make training too complex. Remember, every person has a unique comfort zone. Your goal should be to nudge them slightly beyond their comfort zone for long enough to enable them to absorb a new concept. This concept will then become part of their new, expanded comfort zone.

Through gradual, incremental training, you’ll achieve long-term cultural change.

This is what we’ve achieved with Phriendly Phishing. While we use challenging emails for our initial risk assessments, when it comes to raising awareness and achieving behavioural change, we use phishing emails that are more easily identifiable. This encourages people to learn, grow and build confidence. It makes them feel like winners.

We’ve also found that when testing behaviour, it’s best to send test emails randomly. There’s little point sending out test emails according to a pre-determined cadence, when the individual knows they’re being tested. By randomising your testing, you’ll gain a clearer insight into the effectiveness of your training.

Some other factors to consider when fostering engagement:

  • Whenever possible, focus on the personal benefits they will experience from the training. When it comes to email security, the awareness they develop through the training will assist them and their families stay safe online.
  • Ensure you map out training modules to align with your goals and communicate your timelines with participants. Long-lasting change may require a learning path over multiple years.

3 Pillars for Security Awareness Success Poll02

 

Pillar 3: CHANGE
An act or process through which something becomes different.

Long-lasting change requires ongoing training.

Don’t try to effect substantial cultural change overnight. It will take time. Start with small, bite-sized chunks, then progressively educate your staff about what changes they should make.

Crucially, staff need to understand the reasons behind the push for change.

This is why context is critical. When staff understand why they are being asked to change, and why it’s important for the organisation, you’ll generally achieve greater success.

Without this context and understanding, staff will be more likely to demonstrate resistance and your attempts to achieve cultural change will unlikely succeed.

We recommend focusing on the three R’s:

  • Repeat – Maintain ongoing, consistent and gradual approaches to achieving change.
  • Repair – Always seek to identify areas of weakness, where change hasn’t been achieved, and focus on those areas for improvement.
  • Report – Constantly monitor your progress and report back to stakeholders regularly.

In our experience, ongoing computer-based training (CBT) is the best model to follow. In the poll we conducted, almost half of respondents stated their organisations implement CBT strategies. A further 32% implement ad hoc training initiatives. While certainly this is a great start, it’s important to bear in mind that not all CBT is created equal. To be successful, CBT strategies need to be engaging and tailored to the individual requirements of different staff members.

3 Pillars for Security Awareness Success Poll03

 


Follow the Phriendly Phishing Model to Achieve Cultural Change

By implementing these three pillars, Phriendly Phishing is successfully changing the culture in many organisations surrounding email security awareness.

Phriendly Phishing’s engaging and interactive modules gradually progress learners through various pathways tailored to their individual levels of awareness. With incremental learning delivered this way, staff gradually build up their understanding of the threats posed by email phishing, and how they can play a crucial role in identifying such threats.

Importantly, staff are also made aware of the ways in which email security awareness can benefit them personally. The lessons learned are equally relevant for personal email. In this way, cultural change is more successful because it can personally benefit each staff member, as well as their families.

Ready to begin implementing cultural change in your organisation?
CLICK HERE to watch our webinar for more tips on how you can succeed.

Your staff is the front-line in your security strategy


“Every organisation is a custodian”.

That was the message delivered by Shannon Lane, Director of Shearwater Solutions when he addressed the team at ARC Student Life at the University of New South Wales.

We’re all entrusted to hold confidential information on behalf of our customers, staff and stakeholders. That’s just as true for a private business as it is for a university.

It’s a significant responsibility.

With others so reliant on us to safeguard their data, it’s incumbent upon each of us to do everything possible to maintain the highest levels of cyber security.

Large organisations, such as UNSW, maintain databases containing a vast array of private information. From financial reports, to student records and confidential staff information, any compromise could be extremely costly for both the university, as well as the individuals effected.

Data breaches can also be detrimental to an organisation’s reputation, undermining trust in its capacity to fulfil its role as a reliable custodian of other people’s records.

While most organisations understand the need to invest in data-protection technology to prevent hacking, malware or ransomware, those who are motivated to breach these defences are constantly on the lookout for new ways to circumvent security systems.

Unfortunately, human error by those within an organisation can be a weak link. By clicking on the wrong link in an email, or opening the wrong attachment, staff can inadvertently open the back door to hackers, enabling them to gain access to an organisation’s IT systems and steal confidential data.

That’s why it’s imperative for all organisations to provide staff with ongoing training in identifying potential risks.

In line with ARC Student Life’s strong commitment to data protection, it adopts a proactive approach to maintaining stringent cyber security measures, including staff-awareness campaigns.

Give your team the tools & skills they need to block phishing emails

Shearwater has developed Phriendly Phishing, a proprietary software system with training modules that makes it easy for any organisation to enhance its online security.

Phriendly Phishing Awareness Training


A key component of Shearwater’s approach is ongoing staff awareness and training.

The Phriendly Phishing S.C.A.M. framework makes it easy to educate staff in identifying and blocking phishing emails:

  • S – Sender: Who is really sending the email?
  • C – Content: What’s the email’s content?
  • A – Action: What action does the attacker want me to take?
  • M – Manage: What do I do with the scam email?

With this 4-step approach to email security, Lane helped arm the ARC Student Life team with the awareness they need to enhance their security posture.

How can Shearwater help you?

Visit us for further information about Shearwater’s Phriendly Phishing software, so your organisation will be best placed to prevent email being used as a tool to compromise the confidential data you’re entrusted to protect.

 


PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

What you need to know about Business Email Compromise (BEC) attacks


Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Shearwater’s social engineering and phishing expert, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.

In a concerning trend, Australia ranked second in the world (at 27.4%) for reports of attempted BEC attacks in the first half of 2017, (1) and reports to the ACSC’s, Australian Cybercrime Online Reporting Network (ACORN) during 2016-17, attributed losses of A$20 million to BEC attacks. This increase of 230% from the $8.6 million during 2015-16 “likely represents only a small percentage of total activity, as both misreporting and underreporting occurs.” say the ACSC in their 2017 Threat Report (2)

What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.

What is a BEC attack?

A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.

Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)

The five common types of BEC attack are:

CEO Fraud

A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.

Attorney Impersonation

A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.

Fake Billing

A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.

Accont Compromise

A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.

Data Theft

A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.

Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.

A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.

BEC & Social Media
Cybercriminals research their targets using social media, in preparation for a BEC attack..

BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.

There are 2 mechanisms for the delivery of a BEC attack.

Email spoofing

A range of tactics are used to make an email appear to be from a trusted source or colleague:

  • Using the email header – to make the message appear to have originated from a trusted source
  • Using an email address that is almost identical to the address they are impersonating
  • Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)

A spoofed email may contain a link that will install malware, leading to account compromise.

Account compromise

The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.

What you can do TODAY to protect your organisation


An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:

  1. Employee training
  2. Updating business policies and procedures
  3. Selecting and configuring technology

1. Employee training

Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.

In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:

  • A request to change bank account details, make a money transfer or provide confidential information
  • A request that is urgent and requests secrecy.
  • An email signature that is missing, incomplete or incorrect
  • Poor grammar or spelling

If employees receive an email with these characteristics, they should:

  • Check the address in the ‘from’ field (is it really from who they think)
  • Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
  • Not open any attachments or click on any links
  • Notify their IT department.

Phriendly Phishing Training
Ensure that ALL employees receive the latest phishing prevention training.

2. Update policies and procedures

The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.

  • You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:

    • Are not made via email, and/or
    • Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
  • Create/update policies and procedures for the safe handling of suspicious emails.
  • Create/update policies and procedures for communicating with suppliers.
  • Promote file sharing on your organisation’s internal networks to reduce the need to email files.

Ensure that ALL employees are made aware of these changes.

3. Select and configure technology

The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.

Multi-factor authentication

  • Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.

Domains

  • Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
  • Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
  • Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:

    • Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
    • Block DKIM verification fails – log and investigate and inform the spoofed organisation
    • Quarantine and flag to users any SenderID/SPF soft fails

Flags and alerts

  • Flag external emails e.g. add [EXT] to the start of the subject
  • Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
  • Flag emails with extensions that are similar to your corporate email

Software and logging

  • Ensure that antivirus software is up-to-date and correctly configured.
  • Keep blacklisting and whitelisting up-to-date
  • Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
  • Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.

Environments

  • Provide a safe environment for the IT security team to investigate suspicious emails.
  • Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.

If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):

  • Convert attachments to PDF (and quarantine originals)
  • Whitelist attachments based on file typing to identify and block spoofed attachments
  • Block encrypted attachments
  • Disable macros and JavaScript content and quarantine originals
  • Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
  • You may also wish to block any non-authorised third-party email services.

The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks. For a more tailored approach, contact your cybersecurity partner to enquire about cybersecurity and information security risk assessment services.

Resources

Download a free poster to assist your employees to identify 5 Common Types of Business Email Compromise (BEC) Attack

References

  1. Micro 2017 Midyear Security Roundup: The Cost of Compromise
  2. Australian Cyber Security Centre 2017 Threat Report
  3. Trend Micro 2017 Midyear Security Roundup: The Cost of Compromise
  4. Malicious Email Mitigation Strategies

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

How to Make Sure your Phishing Awareness Initiatives Are Successful


Every organisation fosters a unique environment – the differences can be large and many.

Some have a strong culture of continuous learning, others not so much.

That being said, regardless of the structure and culture of your organisation, when it comes to phishing awareness initiatives there are key players that need to be included in your conversations to make sure you are successful in creating a security awareness culture.

In most mid-to-large organisations, the four key stakeholders that you will need to support your initiatives are:

  • Upper Management
  • Learning and Development Team
  • IT Security, and
  • Human Resources

A sure way to get on the bad side of these influential stakeholders is to loop them in at the last possible minute with something along the lines of “Oh, FYI – we’re starting a phishing awareness campaign next Monday. Thought you’d like to know!”

This is a sure-fire way to get them offside and have them push back against the initiative.

Bringing these influential parties into the conversation early and often, and arming yourself with the information they require, will help you nullify any objections.

Security awareness and, in particular phishing awareness, is so important in the modern workplace that we need to give it every chance to succeed. So how can you get these different groups across the line? After running phishing awareness campaigns for over 150,000 people covering almost every demographic, I have pulled together my personal cheat-sheet on tackling the hard questions with these key influencers.

 

 

 

 

 

 

 

 

 

 

 

 

Upper Management

Upper Management is by nature extremely interested in metrics, especially when it covers organisational risk and improvement over time. It is this combination of staff enrichment with hard evidence where we can appeal to Upper Management’s business goals.

I often hear that phishing is now among the top three risks discussed at a Board level, so having key on-going metrics that you can present to senior decision makers can be a door-opener to getting your project on the agenda.

When dealing with Upper Management, I recommend finding a balance between the data (such as phishing assessment results, click-through rates and training completion rates) and staff aspects. That is, while the data can spell out the situation in black and white, don’t underestimate the value senior decision makers place on a program that supports staff along the way with engaging content and a nurturing training environment.

Learning and Development (L&D) teams

The internal L&D team should have a better understanding of your staff learning culture than anyone else. As the L&D team are usually concerned with the training material itself, be prepared to answer questions like:

  • Does the training suit our environment and culture?
  • What are the learning outcomes, and will the learning material deliver those outcomes?

In most cases, L&D teams don’t typically have concerns over phishing simulation and assessment activities, but they are more concerned with the structure and quality of the training components.

The last thing you want to do is give the impression that you’re trying to go over the L&D team’s head. So, to bring this team along the journey, give them access to the training material as soon as possible, and provide an opportunity for them to take some ownership of the program. Blindsiding them and bringing them into the conversation late is a certain recipe for disaster.

IT Security

In many cases, IT Security teams approach phishing assessments in a certain way; that is, create a super hard phishing email and send it to as many people as possible with a goal to trick and deceive large swathes of the audience.

Fortunately, this old method is having less appeal to many stakeholders. As training and technology has improved, we have a better (and more effective) way of doing phishing assessments and awareness training using smart automation simulations that adapt to the user’s level of understanding.

IT Security teams are notoriously short of time and short-staffed, which is why you can score some easy wins by appealing to their desire to hit objectives using smart automation without compromising their outputs. From a ROI perspective, phishing campaigns are not often the best use of the IT Security’s time – this is where automation comes in. When you discuss your phishing campaign, you have the perfect opportunity to show how it’s possible to have the best of both worlds – effective phishing education and automation all at once.

Another way to win over these key decision makers is to offer access to this automation system – so that if they have a great phishing email they want to add to the campaigns, they can. Similarly, explain that if they are having a busy few months and have no time, the system should continue to run without their input. Giving IT Security the power to influence while still doing right by your staff is a great win/win.

 

 

Human Resources (HR)

HR acts as the advocate and conduit for your workforce, and as such, they are typically concerned with how users are going to be treated and how they will be made to feel during engagements. It shouldn’t come as a surprise; security teams have a history of performing phishing assessments that are far from respectful to the end user. In many cases, staff are often left feeling tricked, confused, and outright unhappy with the whole experience.

The biggest concern I see from HR is around transparency. HR often insists on telling users in advance about training and workplace changes. However, for phishing campaigns, telling staff upfront defeats the purpose of doing a phishing baseline – resulting in a warped gauge of the environmental risk and creating misleading data.

But there is an opportunity for a compromise.

If HR’s main concern is that staff are not being given a chance to be educated and warned before being tested by a simulated phishing email, there is a way to resolve this pain point. First, you can ease concerns by making sure that your simulated phishing emails look no different to the authentic phishing emails staff may receive any other day of the year – so be sure to make your simulations realistically undetectable. Second, make sure that your risk assessment baseline emails are anonymised and communicate that to HR. By removing the connections between the simulated phishing emails and your organisation, as well as anonymising the results, you can alleviate HR’s concerns and ensure users don’t feel tricked.

And lastly, but most importantly – The Staff

While your staff don’t need to be consulted upfront, in many ways your staff are the most important to win over. When it’s time to let them know about the initiative (typically just before the training starts), it’s important to frame the conversation or notification in a certain way to get maximum participation and personal buy-in.

Sadly, we often see this approach used in staff training: “Company X dictates that everyone must do this mandatory training by 12pm tomorrow!”. While it is a slight exaggeration, it probably captures the sentiment best. Nobody likes being told what to do, especially when they have no interest in it.

A better approach is to show the user how phishing has become such a huge issue. Not just for them, but for their kids, their parents, and their spouses. People are far less concerned about your organisation than they are about themselves and their family.

If you can show them how they can be the protector of their own domain with training that’s practical and interesting, you’ll see a new level of engagement and better results.

Don’t forget that many staff members have a fear of technical training. This fear, justified or not, needs to be addressed upfront. So, let users know that the training with be a fun and engaging experience, and make sure your training keeps the information at an appropriate and relaxed level.

Phishing awareness training is one of the most important areas of IT security in organisations today. By having a strategy, you can get the organisation moving together in a frictionless way. With a little extra thought, you’ll improve your risk profile and your staff will actually thank you for it – not to mention proving to stakeholders that your training is a complete success.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution. 

 

5 Tips for Successful Anti-Phishing Training for your Staff


I hear from potential clients all the time how they repeatedly get compromised by phishing-born attacks such as Ransomware. Often, they tell me they follow the age-old adage of telling their staff “Don’t click on links!” or by sending out notifications of current attacks, but they don’t really address the root of the problem – which is, lack of effective education.

So, if telling them “don’t click on links” doesn’t work, what can you do?

Here are a few of the key things you need to do to get users to become part of the solution, rather than part of the problem.

1.  Give them a reason to care – Most staff members don’t really care about the organisation they work for. They might be great at their job and take a keen interest in the company affairs – but ask them to do some awareness training in something they have no interest in and you’ll hear crickets.

There are gimmicks that can be used to get short term buy-in for the training program; but if you want a lasting effect, tie the communication back to how this problem affects their families and people they care about. When you give your staff the opportunity to become a protector of something they care about, not just your organisation, engagement becomes voluntary and much more compelling. This is when the real magic happens.

When they are asking to get a copy of the training for their kids, partners, and parents – you know you are on the right path.

2.  Treat staff with the respect they deserve – Spend enough time in IT circles and you’ll hear things like “dumb users”, “the users are stupid”, or “you can’t teach them anything”. This elitist thinking is one of the reasons IT departments in many organisations have a poor internal reputation.

It’s time we started looking at staff for who they are: specialists in their fields, which may not be IT. They would likely run rings around you and me in their area of expertise, but they just aren’t technologists. This is where you can fill in those gaps and teach them something new.

Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

3.  Tricking is not training – Nobody likes to be tricked or conned, and your staff are no different.

Old-school phishing assessments can easily get your users offside and make those running the program feel superior because they fooled so many people. What other training techniques can you think of that take this approach and actually work?!

A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take baby steps. You can’t teach advanced math by sending out advanced equations every month or so, you need to start with the basics and build it from there. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.


Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

4.  Understand the audience – Users in most organisations are often non-technical people. In some cases, they are put off technical training because the past ‘old-fashioned’, dry, boring, and technical modules have left them feeling down or completely out of their depth.

We need to empathise and understand that each one of your staff members is starting off with a different level of expertise, capability and understanding of phishing and technology. A successful training program will need to cater to this and allow users to advance at their own pace.

5.  It’s not an overnight fix I’m sure by now you are seeing that phishing education is quite a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking.

Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the payout at the end will be worth it.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution.