With more than 1700 employees, operating across multiple sites, the professional services organisation recognised that a proactive approach was required to better manage the risks arising from the increasing number of malicious phishing and spam emails employees were receiving and the threat this posed to sensitive data. Having recently combatted ransomware, the organisation wanted to prevent future, avoidable, situations that can lead to costly and time-consuming remediation.
The Chief Information Officer (CIO) already had technical controls in place, to protect employees, but recognised that, while prior cybersecurity education had achieved a small improvement, cybersecure behaviour was not sustained and employees lacked confidence in their abilities to recognise and respond to malicious emails. This was impacting regular work duties and instead of employees confidently deleting malicious emails, they were sending increasing volumes to the IT department.
“We were looking for an ongoing, effective solution because we’ve seen a lot of phishing activities coming to our business, due to the nature of the services we provide,” said the CIO.
Knowing that real change takes more than a single educational session, the organisation began researching more creative ways to teach cybersecure behaviours. Seeking a solution that would engage, educate and reinforce cybersecure behaviours, over a sustained period of time, the organisation took an innovative step towards social engineering and explored a number of providers who offered more than just a static training experience. They concluded that the opportunity to test, revisit areas requiring improvement and support and develop employees’ cybersecurity knowledge, long term, was a key requirement and outweighed the ‘quick fix’ promises some training suppliers were offering.
“We were looking for something to make this a lot more real and less theoretical…” said the CIO.
The solution: A sustainable and effective way to teach cybersecure behaviours
Following the recommendations of a trusted Phriendly Phishing partner, the organisation approached Phriendly Phishing to find out more about the Australian cloud-based program. The company’s CIO was impressed with how well Phriendly Phishing’s mission, to support Australian businesses while also speaking directly to employees in a relevant, accessible and engaging way, aligned with their key requirements.
The organisation ran a Phriendly Phishing pilot study, involving 500 employees, at one of their sites. It proved to be an overwhelming success, with marked improvement across the board.
One of the core features that the organisation found attractive was the ability to roll out the same educational content to the pilot group concurrently. And being cloudbased, Phriendly Phishing’s material did not consume additional company resources and, with continual updates (to meet ever changing phishing threats and techniques), offered employees the most up-to-date information at any one time. They also liked that, unlike other products they had researched, Phriendly Phishing measures a user’s existing knowledge before deploying the educational modules, tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and gain practical experience by testing their skills on simulated phishing campaigns. It is these features that make Phriendly Phishing an engaging and extremely effective cybersecurity training program.
Multisite National rollout
Delighted with the results of the pilot study, the organisation chose to roll out Phriendly Phishing to all 1700 employees across the country and, to benchmark their knowledge, ran an anonymised simulation, also known as a baseline campaign.
In this instance, an engineered email, masked as a phishing email, was released to all employees and their behaviours were anonymously recorded. While the organisation was prepared for an initially higher number of poor responses, what they didn’t expect was that one in five failed the security checks and clicked on the test email.
To expedite learning and retention, the organisation activated the Phriendly Phishing simulation option. This simulation supports the education modules by allowing an organisation to choose when a simulated phishing email is sent to their employees, and the level of difficulty, allowing employees to practice and receive real-time feedback. It also provides detailed reporting insights, down to an individual status, on how employees are learning to recognise and manage malicious emails.
“The monthly tracking and reporting was fantastic. You could see who was receiving what emails, what staff clicked on and how we were tracking against our baseline,” said the CIO.
The organisation was able to track the significant change in how their employees responded to the simulated malicious phishing emails and this consistent monitoring, referral and re-education was instrumental in the organisation successfully slashing its phishing risk.