Phishing is one of the most used attack vectors in data leakage cases (32%). As the result, more and more companies are simulating phishing campaigns to educate their employees. However, these simulations are difficult to control and can sometimes cause more harm than good.
During missions carried out at our clients’, when phishing is discussed, we have observed two phenomena:
This reluctance can come from human resources or communications (who fear the reaction of employees) but also from security teams, which already suffer from an image deficit; IT security is often perceived as a hindrance to business.
Carrying out a phishing campaign is relatively simple, with many tools or managed services available on the market. However, if the campaign is carried out in a one-off way, there is a good chance that it will be useless. Indeed, one should not forget that the phishing campaign must be an integral part of an awareness plan, the objective of which is to increase the employees’ skills, and not just to point out their shortcomings at a given moment.
This observation led us to think about the following problem: how to succeed in a phishing campaign?
User awareness should not rely on a single vector for several reasons:
Thus, it is important to ensure that the campaign is preceded and followed by other actions that will allow employees to understand the risk of phishing, to know how to detect it and how to react to it.
Instinctively, companies tend not to communicate about the realization of a phishing campaign, for fear of distorting the results: this is a mistake!
Not communicating in advance means taking the risk of frustrating employees and creating resistance to cybersecurity. It is important to be transparent about the existence of the tests as well as about the reasons for these tests: to help employees progress and participate in the defense of the company’s assets. The objective is to obtain a state of mind of the collective union against the risk of phishing, and not an opposition of employees against a security team. This is one of the reasons why saying that the problem is “between the chair and the keyboard” is counterproductive. Moreover, warning them can also increase their vigilance daily.
It is also necessary to ensure the support of management. Management should not be excluded from the campaign: employees will feel more concerned if they see that it is a strategic issue for management. For this, the executive committee can participate in the communication of results.
It would be counterproductive to punish employees who have been “phished”, and even more so to communicate their names internally. Beyond the bad atmosphere that this kind of practice creates, the risk would be that in the future, employees would be afraid to alert us in case of doubt about an email, or case of a security incident, for fear of being sanctioned. This is the opposite of the security culture we are trying to develop: vigilance and alert.
Even a relatively “healthy” sanction such as requiring training for mistakes in a simulation is not recommended: employees would see the training as a punishment and it would not necessarily be effective.
Conversely, it may be possible to reward the department that does best in the test: this creates a spirit of friendly competition among employees. Some might argue that this could distort the test, as employees would alert each other to the presence of a phishing email. In reality, this risk is quite small. Even if employees warn each other, it makes them talk about phishing and how they detected it: this is one of the desired effects!
By making them anonymous, it is essential to communicate the results. An alarmist communication would serve the purpose: fear marketing does not work. The communication should include an explanation of how to detect phishing or a link to a dedicated space.
One of the advantages of the phishing campaign (and this is what makes it so popular) is that it allows you to obtain measurable results. However, one should not fall into the trap of numbers and focus on the number of “phished” users:
One of the indicators that are particularly important to watch is the alert rate. This is what we expect from users: that they alert in case of suspicious emails. For this, it is interesting to include IT support in the preparation of the simulation, together with the management.
Once the campaign is over, and the results have been disseminated, it is necessary to continue to raise awareness of phishing risks among users. To ensure that the awareness actions implemented are appreciated and acquired by the employees, it is necessary to consolidate adhesion indicators. If these are not satisfactory, we can then adapt the chosen awareness vectors.
Moreover, for the messages transmitted to be more impactful, we always recommend drawing parallels between personal and professional life. This is especially true for phishing, which targets both professionals and individuals. Finally, to be more effective, it is necessary to carry out regular simulations. Once the results of the simulation improve, the level of complexity can be increased.
To conclude, it seems important to come back to the fact that a phishing campaign is a tool that should not be used as an awareness action: it is above all a control vector. Moreover, as threats are constantly evolving, employee awareness must be a continuous improvement process. Using regular and varied awareness actions, employees will be able to increase their skills in these subjects.
In addition, monitoring vectors such as the phishing campaign must be used to ensure the effectiveness of the awareness strategy. Always in the spirit of continuous improvement, they must also address new threats: smishing (SMS phishing), vishing (by phone), contamination of USB keys, etc.