“Phishing” Your Staff to Raise Security Awareness

Dr. Niklas Hellemann: For years, companies have focused merely on technical measures to protect themselves against cyber threats. And indeed, a good endpoint-protection, firewall, and antivirus solution are important elements of every company’s information security strategy. However, there has been a mindset that these technical barriers can safeguard any organization against any kind of security threat to a sufficient degree. 

dot: How can a company measure the current level of security awareness of its staff?

Dr. Hellemann: Well, the easiest thing to do is simply ask them. A quick questionnaire will give you a good overview of the expertise level of your employees in regards to cyber threats. Much more important than knowledge, however, is the concrete ability to spot sophisticated cyber threats, such as spear-phishing. In order to evaluate this aspect of awareness, you have to test your employees. Ideally, this happens in a realistic context – basically, within their mail clients. At the beginning of each of our awareness campaigns, we do both, by conducting an initial awareness and security culture audit with our clients. Employees complete our eLearning modules and receive a “SafeScore” as a result of various quizzes throughout the modules, in order to assess their knowledge. In addition, we test them by sending them realistic phishing and social engineering mails as a part of a phishing simulation. The click rates across functions, sites, or different employee groups give a very solid measure of the awareness level of the organization. 

dot: What issues are there with data protection and privacy when it comes to awareness testing?

Dr. Hellemann: When you “phish” your employees with realistic phishing mails, of course, there are certain worries about privacy and data protection. Some employees might fear that their employer monitors their click behavior in order to draw conclusions. Others might think that it is part of a real attack. Hence, it is very important to clearly communicate the whole process thoroughly and stress the fact that the simulation is 100% anonymous – which is the case with our solution. In fact, we are the only provider in the German-speaking markets that offers an entirely anonymous simulation and assessment (vs. working with anonymized or pseudonomized data). After explaining the process and the level of anonymity thoroughly, we have never experienced any negative reaction from employees. In fact, most of them see the positive aspects of such a measure: they can use the lessons learned in their private and family life, where they are more and more often confronted with phishing scams as well.

Another very important aspect in this domain is the involvement of workers’ councils. We always strongly recommend bringing councils on board at the very beginning of a roll out. Actually, we have seen many companies where the workers’ council has initially pushed for an awareness campaign. 

dot: How can a company improve staff awareness, and what impact does this have in terms of the number of attacks on systems? 

Dr. Hellemann: Well, everything a company does in the domain of awareness is a good thing. This can start with simple measures, such as printed communication campaigns, like putting posters on the wall in order to raise the topic. It always helps to do this in a funny or playful manner, as information security is a more or less dry topic for most employees. Of course, training seminars are also a good way of conveying knowledge. However, most companies struggle to send all employees to face-to-face seminars, as this is a huge cost factor and there is considerable heterogeneity in the quality of such seminars. eLearning is, thus, a good and broad weapon of choice in order to sensitize the entire staff of an organization in a wide array of security topics. However, we see some problems in terms of long-term effects here: Do you remember the content of that mandatory compliance eLearning you completed half a year ago?

That is why many of our clients favor a phishing simulation in combination with our eLearning suite to close the largest gaps. The tremendous advantages of the simulation format are that employees do not need to block time in their calendars for a seminar and that they are literally “learning by doing”. Should they click on one of our phishing mails, they receive a warning together with a guided tour through the mail they clicked on, telling them how they could have spotted it as a phishing mail. It is hard to forget such a “lesson”. And our numbers paint a clear picture: After an initial simulation phase, we can reduce the click rates by over 50% (which is further reduced when the simulation is continued). Clearly, this can consequently also reduce the number of incidents.

dot: What are your 3 top recommendations for companies, to improve security related to human error?

Dr. Hellemann: First: acknowledge that there IS human error. Some CISOs or information security officers we talk to tell us, “We do not receive phishing mails. There hasn’t been any report in the last year”. I’m always a bit scared when I hear something like this. It’s a fact that every company in the world gets constantly targeted by cyber criminals. It’s also a fact that technical barriers cannot filter 100% of all phishing mails. Hence, a statement like this means that employees simply do not know how to spot a fraudulent mail or what to do with it (hands off, report it to the IT department). And this is a very dangerous situation.

Second: Put the topic high on the agenda. I know, cyber security is not the most glamorous and top line topic a CEO could imagine. That is the problem with all prevention topics: they are not important until it is too late. However, it might help to see it as a business case or similar to an insurance policy. In an entirely digitalized world, with employees being confronted with digital processes throughout most organizations, cyber security awareness is something you simply have to do in order to prevent a very costly worst-case scenario. Just ask Søren Skou, the CEO of Maersk (or any other company that got massively hacked this year) what he thinks about prevention and cyber security awareness.

Third: Create awareness among your employees – constantly! Most CISOs of leading companies have realized that awareness is an essential part of any cyber defense strategy. However, there is often a misconception that “you just do a campaign and get your check mark”. Our data shows that only if you constantly sensitize your employees can you raise awareness in the long run. People tend to refocus on other topics in their everyday life, and your company also has employee turnover. That is why it is important to think of awareness as a constant measure, not a once-off tool. After all, you also do not buy an antivirus solution and just run it once, do you?

Dr. Niklas Hellemann is a psychologist, management consultant, and co-founder of SoSafe Cyber Security Awareness. As an expert for social engineering, he deals with innovative methods of employee sensitization.