Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

What is security documentation?

So, you have been told by an auditor that your security policies and other security documentation are out of date or non-existent.

“Okay, so let’s draft a two-page policy and tick that box”.

Such glib responses are all too common. This is definitely not an appropriate way to address your organisation’s risk-profile and enhance your security posture.

At the other extreme, some organisations become mired in the process. I’ve witnessed organisations take over 12 months, with multiple iterations, trying to develop security policies. There is a fear that comprehensive security policies will be too restrictive and crippling, even when taking into account the organisation’s specific requirements.

So, what exactly does security documentation consist of and what value does it add?

What is security documentation?Some obvious documents include Agency Security Policies and Acceptable Use Policies. However, the spectrum of security documentation is far broader and can include standards, plans, policies, operational documentation and registers, and system specific documentation and registers.

Security documentation should be more than just rule-setting. Whilst it does help define the expectations of how people work, importantly it should also provide direction on how to get things done in a secure, consistent, and efficient manner.

The entire IT landscape, in particular the connected cyber world in which we all live, is changing rapidly. Developing, maintaining and actively using updated security documentation helps ensure staff are working securely. The right documentation is also a necessary precursor to ensure systems and information are appropriately secured. Documentation also keeps staff up to date with changes, itself a form of on the job training.

In today’s complex world, it is almost impossible to write concise, user-friendly policies and standards that meet every business need. It is therefore important that security documentation is drafted to meet most users’ needs for most of their daily activities. Exception handling processes should be available to ensure special circumstances are considered in a controlled and risk-based manner. Staff are more satisfied when most of their work can be undertaken seamlessly, so that whenever they have special requirements, those can be considered rather than just being told “no”.

Some documentation, such as incident response plans and in-depth procedures, may not be used frequently, however are equally important. When key subject matter experts are unavailable, or when things go wrong, there is usually still a focus on getting the job done quickly. Without the guidance of well thought out documentation, things can and do go wrong. In the rush to get things done, for example when restoring system availability after a cyber incident, it can be easy to lose forensic evidence, thereby hindering the ability to understand how the system was compromised. This means protective measures to stop future incidents cannot be put in place and it may be difficult to determine the full impact, such as knowing if sensitive information was stolen.


How Shearwater can help you?

When it comes to developing comprehensive security policies and documentation for your organisation, you need to get the balance right.

You need to ensure your policies have sufficient breadth and depth so they make a positive contribution to enhancing your organisation’s security. At the same time, they shouldn’t be so cumbersome that they hinder your operational performance.

With Shearwater’s security consultants, your organisation can be confident of getting the balance right. Our team of experts will analyse your business practices and assess your circumstances using a risk-based approach. We will work with you to ensure the security policies and documentation are appropriate and achieve the right outcomes for your organisation.

Contact us today on 1800 283 613 to discuss your needs with one of our consultants.


Business Email Compromise – Advisory

Business Email Compromise (BEC) attacks are increasingly prevalent. While there are several varieties of BEC attacks, the majority manifest themselves as follows:

A phishing email is sent to an intended target. The target is prompted to enter their credentials on a website, after which the attacker gains access to their mailbox. 

Typically, a forwarding rule is created to send emails to an external mailbox, RSS feed, or a different subfolder.

This flow of emails is monitored. When an invoice email is seen, the attacker may attempt to hijack the conversation. Precisely how this is done depends on the account they have compromised and whether the organisation is receiving a payment or needs to make a payment.  Often there will be a request to change payment details, resulting in money being paid into the attacker’s account. 


What can your organisation do to prevent a BEC attack?

  1. Have a good process for changing any payment details that does not involve emails, or information contained in an email.
  2. Enable Multi Factor Authentication (MFA) when using o365. Should credentials be compromised, the user will be prompted to supply their MFA at a time when they are not expecting this. The attacker will be denied access to the account unless permission is provided.

Recently, it was discovered that accessing a mailbox was possible in some instances, despite MFA being enabled. Following an investigation and subsequent testing, it was found that o365 mailboxes could be accessed using protocols other than the standard protocol used by your outlook client.

This was the case when IMAP and POP3 protocols were being used to access o365 mailboxes.

When either of these protocols are used, only the standard UserID and password are required to access the mailbox. There is no prompting for MFA.

Whilst a UserID and password help limit attackers, accessing email through IMAP and POP3 circumvents the MFA that’s enabled on o365 accounts.

Whilst Microsoft does encourage tenants to disable legacy authentication methods and protocols when enabling MFA, it’s currently not the default. Many organisations still have these protocols available for use on all mailboxes.

So, in addition to switching on logging, enabling MFA and having good processes when dealing with payment changes, it is also preferable to switch off IMAP and POP3 on all user accounts in o365.(1)

However, before doing so, there are a few things you need to keep in mind:

  • You may have service accounts that access particular mailboxes using IMAP or POP3 as part of a business process. You may need to make an exception for these mailboxes.
  • Older Android phones may access o365 using IMAP or POP3.
  • Mail applications on IOS (excluding apple mail and outlook) may use IMAP or POP3
  • Integration between different cloud services that use email, may use one of these two protocols to access the mailbox.

In other words, take care when disabling IMAP or POP3. However, doing so will help protect your organisation from a BEC attack that uses this particular approach. 


(1) You can do this using the exchange portal under office.com.


Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

Gone Phishing

Shearwater spearheads innovation to improve email security

It’s the bane of every IT department’s existence:
How to weed out dangerous emails without also blocking legitimate ones.


False Positive: An email that’s been wrongly identified as dangerous, when in fact it is safe.
False Negative: An email that’s been wrongly identified as safe, when in fact it is dangerous.

IT teams face a near impossible balancing act. They need to keep the organisation’s infrastructure and systems safe. But at the same time, they also need to ensure operations are not impeded by over-zealous security measures.


Staking your security on reputation alone is risky business.

Typically, an organisation’s IT department relies on reputation-based intelligence to determine if an email should be considered high-risk. Relying on dynamic databases of known IP addresses, from which phishing emails have been sent in the past, any emails originating from these sources will be flagged and weeded out.

Certainly, this strategy is preferable to no strategy. However, it is far from foolproof.

IP addresses sending phishing email that have yet to be identified won’t be blocked. Likewise, if a trusted IP address is compromised by hackers who send out phishing emails, these could be let through your security filters with potentially devastating consequences.

That’s where staff training steps in. It’s the people within an organisation that represent the last line of defence. Organisations rely on people having the skills to identify potentially dangerous email, and to notify their IT department about it.

Naturally, errors occur. People often mistake phishing emails for legitimate correspondence. Once a dangerous link or attachment has been clicked, the damage has been done.


Shearwater’s commitment to email security is long-standing.

Shearwater’s Phriendly Phishing awareness product leads the way in giving people the skills they need to identify and report malicious email. With ongoing training modules that get progressively more advanced, people within an organisation become significantly more adept at stopping phishing emails in their tracks.

However, with hackers adopting increasingly sophisticated tactics, those of us developing defensive strategies are also constantly striving for improvement.


Using data to drive new insights.

Working with organisations across multiple industries, both in Australia and globally, Shearwater has accumulated extensive datasets. With this data identifying the origins of dangerous emails, as well as the destinations of any links they contain, it is a treasure-trove of potentially useful information that can be used in the fight against phishing.

When Lachlan Gabb, a Shearwater security analyst and Bachelor of IT (Network Security) student at TAFE NSW, suggested an innovative approach, his initiative was encouraged as potentially offering organisations a new defensive weapon.


Mapping the world of email phishing.

As part of his final-year capstone project, Lachlan wanted to deep-dive into Shearwater’s datasets, with the intention of identifying patterns of behaviour used by those sending phishing emails.

The first step was anonymising the data. Due to the confidential nature of many of the emails, only data specifically relevant to Lachlan’s project was extracted and internally processed on dedicated, secure systems.

Using data visualisation methods, Lachlan successfully mapped many thousands of phishing emails, showing clear trends in terms of origin and destination. He was able to generate interactive animations showing both sender and receiver locations, as well as any link locations contained in the emails.


Interestingly, Lachlan was able to visually demonstrate that source countries for phishing emails are not usually the same as link destination countries. While email source countries are often those with less robust cybersecurity governance and controls, the links contained in those emails often direct to countries not known for malicious activities and with reputations for more sophisticated law-enforcement.


The ongoing fight to stop phishing.

Work continues to implement the findings of Lachlan’s data analysis into Shearwater’s email security platforms, so organisations can benefit from its insights. With the focus of Lachlan’s research thus far mainly centred on English-speaking countries, the next stage is to expand the analysis to include other countries, providing an even more comprehensive understanding into the patterns of behaviour used by those engaging in email phishing.



How Shearwater can help you?

If your organisation isn’t yet taking the threat posed by phishing email seriously, it’s time you started.

The costs associated with ransomware and malware can be crippling.

Yet there are steps you can take to help safeguard your organisation.

With Shearwater actively engaged in research to continuously drive improvements in email security, SPEAK TO US TODAY to learn how you can benefit from our research and expertise.

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.



Machine Learning Boosts Cybersecurity

Robots are taking over the world!

That’s the dystopian vision conjured in the minds of many when talking about Machine Learning.

But don’t be swayed by the hysteria. Machine Learning offers enormous potential. The key is to find ways to leverage it so it opens up new insights into patterns that we humans simply can’t detect without a bit of computer assistance. 

At Shearwater, our commitment is to your security. We are constantly on the hunt for new and innovative ways to defend organisations from a broad range of cyber threats.

We believe Machine Learning can play a significant role in the quest to achieve stronger levels of cybersecurity.

The challenge of identifying threats

Network security monitoring requires a broad range of technologies and tools. To achieve a comprehensive security posture, each of them needs to work together harmoniously.

However, getting them to communicate with each other can be a major challenge.

When the plethora of tools don’t communicate with each other, there’s a risk you’ll only gain visibility into a small fraction of network access requests.

And even if you do achieve a high level of visibility, deciphering all the data requires specialist skills.

Security Information and Event Management (SIEM) provides a solution by collecting information, aggregating it and turning it into insightful, meaningful knowledge.

In theory all your network activity will be logged and you’ll have the required visibility.

Perfect!  The end.

Not quite…visibility is only half the battle.

Attackers are operating under a cloak of anonymity, often disguised as day-to-day users. Significantly, the most serious threats are the ones you can’t see. Attempting to identify their activity among the troves of logs can be difficult and cumbersome.

Just imagine the vast depth of data your network security tools record each day:

· Application logs
· System logs
· Security logs

And that’s just the beginning. Consider every failed password attempt – it would also generate a log. There can be literally thousands of these logs each day. And this represents a tiny fraction of the activity being recorded.

What is Machine Learning and how can it enhance your security posture?

It’s clear the traditional approach for logging and flagging security threats in organisations is far from efficient.

However, Machine Learning can assist us in this task by providing some degree of automation.

By tapping into the potential of Machine Learning, there exists the possibility of mapping datasets, from which the computer can learn to identify and flag potential threats. Over time, the computer will learn from both its successes and failures to enhance performance automatically without the need to be explicitly programmed.

Harnessing this technology can quickly and automatically produce models that can be used to analyse even larger, more complex datasets. This in turn delivers more accurate results, more efficiently.

Enter Ken Liu, Shearwater’s latest security protégé.

 Ken Liu

Ken Liu

Ken, a Shearwater Security Analyst and recent graduate from the Bachelor of IT (Network Security) degree at TAFE NSW, is a keen Machine Learning student.

As part of his studies, Ken’s research focused on training a computer to monitor logs of server “traffic.” By analysing extensive database logs, Ken enabled the computer to identify what appeared to be “normal” events that weren’t in fact actually “normal” at all – they were hackers in disguise!

With this level of insight, Ken was then able to factor in other known issues and feed them back into the system. For example, as the machine learnt to successfully identify and flag significant events, it remembered how to detect them in the future.

This saved Ken hours of data trawling and created a virtuous learning cycle.

Achieving accuracy was challenging due to several false negatives in which potential threats were flagged that were not in fact threats.

Yet, with ongoing support and assistance from the Shearwater team, Ken was able to overcome this challenge and achieve a much higher level of probability that only genuine threats were being highlighted.

This offers an instructive lesson: for Machine Learning to succeed in providing value, it requires an element of human experience and intuition. By combining the strengths of a computer’s analytical and pattern-matching capabilities, together with human experience and intuition, Ken was able to achieve an optimal outcome.

Humans provide the thinking.
Computers provide the horsepower.

Through his research, Ken also found that different approaches were required for analysing different database logs using Machine Learning. A one-size-fits-all strategy will not work. Every organisation requires a unique approach, as each differs vastly in terms of size, industry and their own internal IT environments.

So, what’s next?

Ken is planning additional Machine Learning research with a view to integrating his work with the advanced security monitoring systems Shearwater already uses.

By integrating the insights gained from his work, Ken believes Shearwater will be able to improve the quality and efficiency of the security services it offers clients.


How Shearwater can help you?

Do you need to get a handle on your logs? Does your organisation have a plethora of security systems that are not communicating with each other effectively?

If you’re in need of an integrated SIEM strategy and want to take advantage of Shearwater’s commitment to innovation in the security space, speak with our Managed Security Services team today.

By tapping into our expertise and innovations, you’ll enhance your organisation’s security capabilities to protect yourself from the growing range of threats.




Innovating with Data

Shearwater champions new insights in battle against BEC

The data is in and the picture it paints isn’t good.

For thousands of recent Australian victims, the fact that Business Email Compromise (BEC) attacks are on the rise comes as no surprise.

BEC continues to be a highly profitable attack vector for cybercriminals.

Using highly sophisticated methods, attackers are targeting businesses across the world, and we are particularly vulnerable.

According to the Australian Competition and Consumer Commission (ACCC), BEC losses exceeded $3.8 million in 2018, representing a 53 percent increase from the previous year.

Combine these losses with those reported to the Australian Cybercrime Online Reporting Network, and email scams have cost Australian businesses in excess of $60 million!

Clearly new strategies are needed to fight this growing threat.


Using data to drive new insights

When it comes to the battle for email security, data offers us potential new strategies by yielding fresh insights. 

During her final year as a student in the Bachelor of IT (Network Security) program at TAFE NSW, Fariha Uddin undertook her capstone project in conjunction with Shearwater.

Together, we sourced vast sets of email metadata that had been used by Enron, the defunct US energy giant.

Why Enron? As a large organisation that no longer exists, we could access many years’ worth of publicly available historical metadata, without breaching any privacy requirements.

By doing a deep dive into their metadata, Fariha was able to identify important patterns of behavior. Using heat-mapping data visualization techniques, Fariha explored the vast volumes of email traffic, and the times of day they were transmitted.

The key questions Fariha was seeking to answer included:

· When were emails sent and received?
· Who sent or received them?
· At what times of the day?
· Were they from internal or external sources?

This data offers the potential of yielding valuable insights to help predict where and when a BEC attack is likely to occur.


What are BEC attacks?

What are BEC attacks?BEC attacks prey on people’s innate desire to be helpful by quickly responding to “urgent” or “important” email requests from superiors or suppliers. 

Attack emails are sent from a compromised or spoofed email account with a forged sender address.  The emails are cunningly crafted to persuade employees to transfer funds into a ‘new’ bank account.

For example, a CFO may regularly send requests to a member of their accounts team with instructions to pay for certain goods or services. A BEC email would exactly replicate the nature of such email requests, including the day and time when they are usually sent. The only difference would be that the fake CFO email would contain bank account details belonging to the attacker. The unsuspecting member of the accounts team would make the payment in line with the instructions in the fake CFO email. By the time the error is discovered, the attacker will have received the funds.

The high-quality nature of the emails and sending them at times when the employee is known to be under stress or particularly busy, make BEC email attacks extremely effective.

BEC attacks often occur after a prior phishing attack. A successful phishing attack can disclose valuable information to the attacker, such as the Chief Financial Officer’s correspondence, schedules, calendars, and much more. This detailed information enables the attacker to know the types of requests the CFO usually makes of their staff, the times they usually make them, and even their writing style can be impersonated.

Armed with so much valuable information, the attacker is able to ensure the requests to transfer funds seem like business as usual to staff in the organisation.

Knowing the tactics that are being used, Shearwater is keen to explore new avenues that can help us get one step ahead of the cybercriminals.


What have we learnt?

Thanks to Fariha’s analysis of the Enron email trove, new perspectives were ascertained to answer the critical question:

Who, in an organisation, is most likely to be susceptible to a BEC attack?

From her data analysis, we were able to visualise “normal” email behaviour patterns. Anything that did not conform to “normal” behaviour was flagged as a sign of a possible attack.

If we can learn who the attackers are likely to target, extra training can be provided to these individuals. Furthermore, care may need to be taken to ensure they are not deluged with email, so they have the capacity to adequately verify the veracity of items landing in their inboxes.

The collaboration between Fariha and Shearwater was so successful that this project will continue to Phase 2 and will be passed onto another student for further development.


How Shearwater can help you?

Shearwater’s commitment to innovation in the email security space is uncovering important insights that may ultimately prove invaluable in the battle to improve email security.

With rapidly escalating costs associated with BEC email attacks, such innovation is timely.

By developing the talents of the next generation of cybersecurity professionals with real-world problems to solve, Shearwater is looking to the long-term to provide a safer connected world.

If you want to have the latest email security in your organisation, speak to Shearwater.
Our commitment to innovation will give you the best chance to stay safe.



PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

3 Pillars for Security Awareness Success

“Are your staff going to be your greatest risk, or your greatest assets?”

That was the question posed by Damian Grace, General Manager of Phriendly Phishing – the comprehensive email security awareness program developed by Shearwater Solutions.

The modus operandi of those intent on harming your organisation has changed.

With the focus shifting away from hacking into network or web applications, principally due to significant advances in cybersecurity over recent years, human error is now the soft underbelly of many organisations.

Recently we’ve witnessed a marked uptick in email phishing, ransomware and malware, all designed to trick your staff into opening the wrong attachment or clicking the wrong link. Never have people been so under attack as they are now, with cyber-attacks ramping up across the board.

All it takes is one mistake and hackers, with the intent of stealing your confidential data assets, will have compromised your computer systems.

The impact on any organisation can be devastating – which is why every organisation requires a security awareness culture.

Only by inculcating your staff with a deep understanding of the threat profiles your organisation faces, and crucially, the role they need to play in mitigating those threats, will you begin to ensure your protection.

Change starts from the TOP

As an IT Manager, CTO or CISO, it’s imperative you persuade upper management to embrace a change in corporate culture. To achieve that, you need to understand what it takes to become an influencer within your organisation.

We know change is never easy. Especially the sort of long-lasting change that’s required to cultivate a security awareness culture. Grace likens it to pushing a big rock. At first the challenge seems insurmountable. But once you begin pushing and momentum builds, the task becomes easier.

While many stakeholders may initially be reluctant to embrace the sort of behavioural adjustment required to achieve a more robust cybersecurity posture, the task will be made easier if everyone involved understands the context.

Your entire staff, from top to bottom, needs to understand the reasoning behind the changes you’re seeking to implement and why it’s of critical importance to the organisation.

That’s why your most important initial task is to get upper management embracing your initiatives and leading the way.

Assess your current Learning Culture

Begin with a frank assessment of the learning culture currently existing in your organisation.

Even before commencing, you can determine how successful your attempts at cultural change will be based on existing attitudes. Our experience with Phriendly Phishing shows that non-mandatory training completion rates vary dramatically based on the learning culture that exists within an organisation.


Learning Culture Completion Rate
Low or No Interest 40%
Indifferent 55-70%
Highly Engaged 80% +

If there is little to no interest in learning and acquiring new skills, unfortunately your task will be challenging. Luckily, among respondents to our poll, only 4% reported having a “no interest” culture.

By contrast, if your staff tends to be highly engaged and eager to expand their knowledge and embrace new strategies, your task will be much easier. With 27% of our poll respondents reporting a highly engaged workforce, that’s definitely good news.

However, by far the largest cohort of our poll respondents, in excess of two thirds, report an indifferent culture when it comes to change. This indicates the workforce will embrace change if required, but don’t seek it out otherwise. Whilst you will experience challenges changing the culture in such an organisation, you shouldn’t expect to receive too much intransigence or resistance. With a bit of effort, you should be able to achieve the results you want.

3 Pillars for Security Awareness Success Poll01

Whether your workplace shows no interest, is highly engaged or indifferent to learning, none of this is set in stone. With the right leadership, spearheaded by senior management, everything can change for the better.

Three Pillars to Create Strong Foundational Change

When considering how you can best enhance cybersecurity awareness in your organisation, it helps to focus on the following three pillars to ensure the new culture you’re cultivating is built on strong foundations:

Pillar 1: LEAD
Be a route or means of access to a particular place, or in a particular direction.

Real change starts from the top.

While you understand the importance of cultural change in reducing the organisation’s exposure to risk, upper management may not be sufficiently technologically literate to grasp the significance of what you’re proposing. However, it is vital to get their full support if your initiative is to succeed. This is to ensure your initiatives aren’t stymied by those within the organisation who may be resistant to change.

Following these 4 steps, you’ll stand a good chance of successfully persuading upper management of the necessity of your initiatives:

  1. Drive awareness by providing evidence to senior executives of the impact an organisation’s culture has on its bottom line.
  2. Demonstrate the impact your changes will have on the organisation by focusing on outcomes. By learning to translate “IT-speak” into “business-speak”, you’ll be able to align your initiatives with business metrics in a way that will be highly persuasive to upper management.
    Emphasise the costs of inaction. Ransomware attacks have the capacity to shut down business for multiple days, costing millions in lost data.
  3. Push to get agreement on moving forward with your change agenda.
  4. It’s vital to get firm commitments, preferably in writing.

While this process of persuasion won’t necessarily be easy, it is absolutely vital you lead the internal conversations within your organisation to get the commitment and support from upper management to succeed.

Engage by winning hearts and minds.

Traditional training methods are notoriously ineffective. Periodically pushing out highly technical information is not the way to engage people. That’s why it’s crucial you develop an effective plan that encourages people to embrace the project.

The training modules you use need to interests learners and be enjoyable. Importantly, you want to make sure people feel like winners.

Don’t make training too complex. Remember, every person has a unique comfort zone. Your goal should be to nudge them slightly beyond their comfort zone for long enough to enable them to absorb a new concept. This concept will then become part of their new, expanded comfort zone.

Through gradual, incremental training, you’ll achieve long-term cultural change.

This is what we’ve achieved with Phriendly Phishing. While we use challenging emails for our initial risk assessments, when it comes to raising awareness and achieving behavioural change, we use phishing emails that are more easily identifiable. This encourages people to learn, grow and build confidence. It makes them feel like winners.

We’ve also found that when testing behaviour, it’s best to send test emails randomly. There’s little point sending out test emails according to a pre-determined cadence, when the individual knows they’re being tested. By randomising your testing, you’ll gain a clearer insight into the effectiveness of your training.

Some other factors to consider when fostering engagement:

  • Whenever possible, focus on the personal benefits they will experience from the training. When it comes to email security, the awareness they develop through the training will assist them and their families stay safe online.
  • Ensure you map out training modules to align with your goals and communicate your timelines with participants. Long-lasting change may require a learning path over multiple years.

3 Pillars for Security Awareness Success Poll02


Pillar 3: CHANGE
An act or process through which something becomes different.

Long-lasting change requires ongoing training.

Don’t try to effect substantial cultural change overnight. It will take time. Start with small, bite-sized chunks, then progressively educate your staff about what changes they should make.

Crucially, staff need to understand the reasons behind the push for change.

This is why context is critical. When staff understand why they are being asked to change, and why it’s important for the organisation, you’ll generally achieve greater success.

Without this context and understanding, staff will be more likely to demonstrate resistance and your attempts to achieve cultural change will unlikely succeed.

We recommend focusing on the three R’s:

  • Repeat – Maintain ongoing, consistent and gradual approaches to achieving change.
  • Repair – Always seek to identify areas of weakness, where change hasn’t been achieved, and focus on those areas for improvement.
  • Report – Constantly monitor your progress and report back to stakeholders regularly.

In our experience, ongoing computer-based training (CBT) is the best model to follow. In the poll we conducted, almost half of respondents stated their organisations implement CBT strategies. A further 32% implement ad hoc training initiatives. While certainly this is a great start, it’s important to bear in mind that not all CBT is created equal. To be successful, CBT strategies need to be engaging and tailored to the individual requirements of different staff members.

3 Pillars for Security Awareness Success Poll03


Follow the Phriendly Phishing Model to Achieve Cultural Change

By implementing these three pillars, Phriendly Phishing is successfully changing the culture in many organisations surrounding email security awareness.

Phriendly Phishing’s engaging and interactive modules gradually progress learners through various pathways tailored to their individual levels of awareness. With incremental learning delivered this way, staff gradually build up their understanding of the threats posed by email phishing, and how they can play a crucial role in identifying such threats.

Importantly, staff are also made aware of the ways in which email security awareness can benefit them personally. The lessons learned are equally relevant for personal email. In this way, cultural change is more successful because it can personally benefit each staff member, as well as their families.

Ready to begin implementing cultural change in your organisation?
CLICK HERE to watch our webinar for more tips on how you can succeed.

Your staff is the front-line in your security strategy

“Every organisation is a custodian”.

That was the message delivered by Shannon Lane, Director of Shearwater Solutions when he addressed the team at ARC Student Life at the University of New South Wales.

We’re all entrusted to hold confidential information on behalf of our customers, staff and stakeholders. That’s just as true for a private business as it is for a university.

It’s a significant responsibility.

With others so reliant on us to safeguard their data, it’s incumbent upon each of us to do everything possible to maintain the highest levels of cyber security.

Large organisations, such as UNSW, maintain databases containing a vast array of private information. From financial reports, to student records and confidential staff information, any compromise could be extremely costly for both the university, as well as the individuals effected.

Data breaches can also be detrimental to an organisation’s reputation, undermining trust in its capacity to fulfil its role as a reliable custodian of other people’s records.

While most organisations understand the need to invest in data-protection technology to prevent hacking, malware or ransomware, those who are motivated to breach these defences are constantly on the lookout for new ways to circumvent security systems.

Unfortunately, human error by those within an organisation can be a weak link. By clicking on the wrong link in an email, or opening the wrong attachment, staff can inadvertently open the back door to hackers, enabling them to gain access to an organisation’s IT systems and steal confidential data.

That’s why it’s imperative for all organisations to provide staff with ongoing training in identifying potential risks.

In line with ARC Student Life’s strong commitment to data protection, it adopts a proactive approach to maintaining stringent cyber security measures, including staff-awareness campaigns.

Give your team the tools & skills they need to block phishing emails

Shearwater has developed Phriendly Phishing, a proprietary software system with training modules that makes it easy for any organisation to enhance its online security.

Phriendly Phishing Awareness Training

A key component of Shearwater’s approach is ongoing staff awareness and training.

The Phriendly Phishing S.C.A.M. framework makes it easy to educate staff in identifying and blocking phishing emails:

  • S – Sender: Who is really sending the email?
  • C – Content: What’s the email’s content?
  • A – Action: What action does the attacker want me to take?
  • M – Manage: What do I do with the scam email?

With this 4-step approach to email security, Lane helped arm the ARC Student Life team with the awareness they need to enhance their security posture.

How can Shearwater help you?

Visit us for further information about Shearwater’s Phriendly Phishing software, so your organisation will be best placed to prevent email being used as a tool to compromise the confidential data you’re entrusted to protect.


PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

What you need to know about Business Email Compromise (BEC) attacks

Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Shearwater’s social engineering and phishing expert, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.

In a concerning trend, Australia ranked second in the world (at 27.4%) for reports of attempted BEC attacks in the first half of 2017, (1) and reports to the ACSC’s, Australian Cybercrime Online Reporting Network (ACORN) during 2016-17, attributed losses of A$20 million to BEC attacks. This increase of 230% from the $8.6 million during 2015-16 “likely represents only a small percentage of total activity, as both misreporting and underreporting occurs.” say the ACSC in their 2017 Threat Report (2)

What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.

What is a BEC attack?

A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.

Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)

The five common types of BEC attack are:

CEO Fraud

A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.

Attorney Impersonation

A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.

Fake Billing

A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.

Accont Compromise

A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.

Data Theft

A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.

Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.

A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.

BEC & Social Media
Cybercriminals research their targets using social media, in preparation for a BEC attack..

BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.

There are 2 mechanisms for the delivery of a BEC attack.

Email spoofing

A range of tactics are used to make an email appear to be from a trusted source or colleague:

  • Using the email header – to make the message appear to have originated from a trusted source
  • Using an email address that is almost identical to the address they are impersonating
  • Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)

A spoofed email may contain a link that will install malware, leading to account compromise.

Account compromise

The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.

What you can do TODAY to protect your organisation

An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:

  1. Employee training
  2. Updating business policies and procedures
  3. Selecting and configuring technology

1. Employee training

Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.

In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:

  • A request to change bank account details, make a money transfer or provide confidential information
  • A request that is urgent and requests secrecy.
  • An email signature that is missing, incomplete or incorrect
  • Poor grammar or spelling

If employees receive an email with these characteristics, they should:

  • Check the address in the ‘from’ field (is it really from who they think)
  • Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
  • Not open any attachments or click on any links
  • Notify their IT department.

Phriendly Phishing Training
Ensure that ALL employees receive the latest phishing prevention training.

2. Update policies and procedures

The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.

  • You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:

    • Are not made via email, and/or
    • Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
  • Create/update policies and procedures for the safe handling of suspicious emails.
  • Create/update policies and procedures for communicating with suppliers.
  • Promote file sharing on your organisation’s internal networks to reduce the need to email files.

Ensure that ALL employees are made aware of these changes.

3. Select and configure technology

The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.

Multi-factor authentication

  • Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.


  • Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
  • Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
  • Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:

    • Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
    • Block DKIM verification fails – log and investigate and inform the spoofed organisation
    • Quarantine and flag to users any SenderID/SPF soft fails

Flags and alerts

  • Flag external emails e.g. add [EXT] to the start of the subject
  • Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
  • Flag emails with extensions that are similar to your corporate email

Software and logging

  • Ensure that antivirus software is up-to-date and correctly configured.
  • Keep blacklisting and whitelisting up-to-date
  • Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
  • Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.


  • Provide a safe environment for the IT security team to investigate suspicious emails.
  • Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.

If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):

  • Convert attachments to PDF (and quarantine originals)
  • Whitelist attachments based on file typing to identify and block spoofed attachments
  • Block encrypted attachments
  • Disable macros and JavaScript content and quarantine originals
  • Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
  • You may also wish to block any non-authorised third-party email services.

The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks. For a more tailored approach, contact your cybersecurity partner to enquire about cybersecurity and information security risk assessment services.


Download a free poster to assist your employees to identify 5 Common Types of Business Email Compromise (BEC) Attack


  1. Micro 2017 Midyear Security Roundup: The Cost of Compromise
  2. Australian Cyber Security Centre 2017 Threat Report
  3. Trend Micro 2017 Midyear Security Roundup: The Cost of Compromise
  4. Malicious Email Mitigation Strategies

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

How to Make Sure your Phishing Awareness Initiatives Are Successful

Every organisation fosters a unique environment – the differences can be large and many.

Some have a strong culture of continuous learning, others not so much.

That being said, regardless of the structure and culture of your organisation, when it comes to phishing awareness initiatives there are key players that need to be included in your conversations to make sure you are successful in creating a security awareness culture.

In most mid-to-large organisations, the four key stakeholders that you will need to support your initiatives are:

  • Upper Management
  • Learning and Development Team
  • IT Security, and
  • Human Resources

A sure way to get on the bad side of these influential stakeholders is to loop them in at the last possible minute with something along the lines of “Oh, FYI – we’re starting a phishing awareness campaign next Monday. Thought you’d like to know!”

This is a sure-fire way to get them offside and have them push back against the initiative.

Bringing these influential parties into the conversation early and often, and arming yourself with the information they require, will help you nullify any objections.

Security awareness and, in particular phishing awareness, is so important in the modern workplace that we need to give it every chance to succeed. So how can you get these different groups across the line? After running phishing awareness campaigns for over 150,000 people covering almost every demographic, I have pulled together my personal cheat-sheet on tackling the hard questions with these key influencers.













Upper Management

Upper Management is by nature extremely interested in metrics, especially when it covers organisational risk and improvement over time. It is this combination of staff enrichment with hard evidence where we can appeal to Upper Management’s business goals.

I often hear that phishing is now among the top three risks discussed at a Board level, so having key on-going metrics that you can present to senior decision makers can be a door-opener to getting your project on the agenda.

When dealing with Upper Management, I recommend finding a balance between the data (such as phishing assessment results, click-through rates and training completion rates) and staff aspects. That is, while the data can spell out the situation in black and white, don’t underestimate the value senior decision makers place on a program that supports staff along the way with engaging content and a nurturing training environment.

Learning and Development (L&D) teams

The internal L&D team should have a better understanding of your staff learning culture than anyone else. As the L&D team are usually concerned with the training material itself, be prepared to answer questions like:

  • Does the training suit our environment and culture?
  • What are the learning outcomes, and will the learning material deliver those outcomes?

In most cases, L&D teams don’t typically have concerns over phishing simulation and assessment activities, but they are more concerned with the structure and quality of the training components.

The last thing you want to do is give the impression that you’re trying to go over the L&D team’s head. So, to bring this team along the journey, give them access to the training material as soon as possible, and provide an opportunity for them to take some ownership of the program. Blindsiding them and bringing them into the conversation late is a certain recipe for disaster.

IT Security

In many cases, IT Security teams approach phishing assessments in a certain way; that is, create a super hard phishing email and send it to as many people as possible with a goal to trick and deceive large swathes of the audience.

Fortunately, this old method is having less appeal to many stakeholders. As training and technology has improved, we have a better (and more effective) way of doing phishing assessments and awareness training using smart automation simulations that adapt to the user’s level of understanding.

IT Security teams are notoriously short of time and short-staffed, which is why you can score some easy wins by appealing to their desire to hit objectives using smart automation without compromising their outputs. From a ROI perspective, phishing campaigns are not often the best use of the IT Security’s time – this is where automation comes in. When you discuss your phishing campaign, you have the perfect opportunity to show how it’s possible to have the best of both worlds – effective phishing education and automation all at once.

Another way to win over these key decision makers is to offer access to this automation system – so that if they have a great phishing email they want to add to the campaigns, they can. Similarly, explain that if they are having a busy few months and have no time, the system should continue to run without their input. Giving IT Security the power to influence while still doing right by your staff is a great win/win.



Human Resources (HR)

HR acts as the advocate and conduit for your workforce, and as such, they are typically concerned with how users are going to be treated and how they will be made to feel during engagements. It shouldn’t come as a surprise; security teams have a history of performing phishing assessments that are far from respectful to the end user. In many cases, staff are often left feeling tricked, confused, and outright unhappy with the whole experience.

The biggest concern I see from HR is around transparency. HR often insists on telling users in advance about training and workplace changes. However, for phishing campaigns, telling staff upfront defeats the purpose of doing a phishing baseline – resulting in a warped gauge of the environmental risk and creating misleading data.

But there is an opportunity for a compromise.

If HR’s main concern is that staff are not being given a chance to be educated and warned before being tested by a simulated phishing email, there is a way to resolve this pain point. First, you can ease concerns by making sure that your simulated phishing emails look no different to the authentic phishing emails staff may receive any other day of the year – so be sure to make your simulations realistically undetectable. Second, make sure that your risk assessment baseline emails are anonymised and communicate that to HR. By removing the connections between the simulated phishing emails and your organisation, as well as anonymising the results, you can alleviate HR’s concerns and ensure users don’t feel tricked.

And lastly, but most importantly – The Staff

While your staff don’t need to be consulted upfront, in many ways your staff are the most important to win over. When it’s time to let them know about the initiative (typically just before the training starts), it’s important to frame the conversation or notification in a certain way to get maximum participation and personal buy-in.

Sadly, we often see this approach used in staff training: “Company X dictates that everyone must do this mandatory training by 12pm tomorrow!”. While it is a slight exaggeration, it probably captures the sentiment best. Nobody likes being told what to do, especially when they have no interest in it.

A better approach is to show the user how phishing has become such a huge issue. Not just for them, but for their kids, their parents, and their spouses. People are far less concerned about your organisation than they are about themselves and their family.

If you can show them how they can be the protector of their own domain with training that’s practical and interesting, you’ll see a new level of engagement and better results.

Don’t forget that many staff members have a fear of technical training. This fear, justified or not, needs to be addressed upfront. So, let users know that the training with be a fun and engaging experience, and make sure your training keeps the information at an appropriate and relaxed level.

Phishing awareness training is one of the most important areas of IT security in organisations today. By having a strategy, you can get the organisation moving together in a frictionless way. With a little extra thought, you’ll improve your risk profile and your staff will actually thank you for it – not to mention proving to stakeholders that your training is a complete success.

Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution. 


5 Tips for Successful Anti-Phishing Training for your Staff

I hear from potential clients all the time how they repeatedly get compromised by phishing-born attacks such as Ransomware. Often, they tell me they follow the age-old adage of telling their staff “Don’t click on links!” or by sending out notifications of current attacks, but they don’t really address the root of the problem – which is, lack of effective education.

So, if telling them “don’t click on links” doesn’t work, what can you do?

Here are a few of the key things you need to do to get users to become part of the solution, rather than part of the problem.

1.  Give them a reason to care – Most staff members don’t really care about the organisation they work for. They might be great at their job and take a keen interest in the company affairs – but ask them to do some awareness training in something they have no interest in and you’ll hear crickets.

There are gimmicks that can be used to get short term buy-in for the training program; but if you want a lasting effect, tie the communication back to how this problem affects their families and people they care about. When you give your staff the opportunity to become a protector of something they care about, not just your organisation, engagement becomes voluntary and much more compelling. This is when the real magic happens.

When they are asking to get a copy of the training for their kids, partners, and parents – you know you are on the right path.

2.  Treat staff with the respect they deserve – Spend enough time in IT circles and you’ll hear things like “dumb users”, “the users are stupid”, or “you can’t teach them anything”. This elitist thinking is one of the reasons IT departments in many organisations have a poor internal reputation.

It’s time we started looking at staff for who they are: specialists in their fields, which may not be IT. They would likely run rings around you and me in their area of expertise, but they just aren’t technologists. This is where you can fill in those gaps and teach them something new.

Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

3.  Tricking is not training – Nobody likes to be tricked or conned, and your staff are no different.

Old-school phishing assessments can easily get your users offside and make those running the program feel superior because they fooled so many people. What other training techniques can you think of that take this approach and actually work?!

A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take baby steps. You can’t teach advanced math by sending out advanced equations every month or so, you need to start with the basics and build it from there. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.

Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

4.  Understand the audience – Users in most organisations are often non-technical people. In some cases, they are put off technical training because the past ‘old-fashioned’, dry, boring, and technical modules have left them feeling down or completely out of their depth.

We need to empathise and understand that each one of your staff members is starting off with a different level of expertise, capability and understanding of phishing and technology. A successful training program will need to cater to this and allow users to advance at their own pace.

5.  It’s not an overnight fix I’m sure by now you are seeing that phishing education is quite a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking.

Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the payout at the end will be worth it.

Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution.