Your browser is unsupported

We recommend using the latest version of IE11, Edge, Chrome, Firefox or Safari.

Phish Your Colleagues

Blog logo. Zero Dark Ready by Juliet Golf
hand touching phone and lock

You don’t want to be the weakest link that brings your workplace to a sudden halt. When systems shut down and no one can access their emails or files, your coworkers would send you angry messages and glare at you. Your boss would contact you to meet with them and “have a conversation.” They would know who was responsible. They would know it was you.

In your personal life, you keep yourself and your family safe by locking the front door. You make sure the mail is collected when you’re out of town for a few days. You avoid being an obvious target to intruders. We need to be as careful when it comes to cybersecurity or “OPSEC” operational security.

How effective is our cybersecurity training?”

cybersecurity lock

Employees making simple mistakes are often the vulnerability for a cyber-attack. This is evident in Verizon’s 2020 Data Breach Investigations Report, which looks at records of incidents every year. At a glance, it’s clear that while 45% of computer system breaches were hacked, many breaches could have been prevented:
• More than 1 in 5 included social attacks like phishing.
• 8% of breaches were due to misuse by authorized users.

Add that together and 30% would be preventable by your ordinary Jane Doe or John Smith coworker, if they knew to not click on that questionable link or not to open that attachment. The Gartner 2020 Market Guide for Email Security agrees: “Despite the growth in more targeted attacks through other vectors, email is still the most common channel for opportunistic and targeted attacks, as well as a significant source of data loss.” This give rationale for so many organizations to mandate cyber-security and OPSEC training. But when this training is just one of many that you and your team are required to do every year, taking you away from your busy work, it’s important to ask “how valuable is this training?”

One way to answer that question has been to test it out. Consider it a game with competing players: employees versus the IT security team. Your organization’s IT security team will send a fake phishing email to employees using the most common and recent tactics that adversaries (the “bad guys”) use. If you and your colleagues recognize the email for what it is: trouble, you win. Your team wins by being well-trained and observant. However, if staff open a questionable attachment or link, or replies giving away personal or organizational information, the IT security team is alerted.

The test will answer:

  1. How effective was the training? If more people than expected fail, the training may need to be revised or replaced.
  2. Who needs additional training? If only a few people fail, those staff can be notified to retake the training. To avoid embarrassing anyone, anonymity should be built into the system.

Why this works
There’s something about the real-world application of a training that gets our heart pumping and a jolt to sit up and pay attention. By becoming an active participant, employees gain exposure and judgement to understand their processes, visualize gaps, and make correction, without any of the risk of destroying their reputation and/or that of their employer.

Data can be gathered and used internally to your organization. Some research indicates that these tests have a high return-on-investment. Your agency tech team can conduct their own research and connect with peer companies or institutions, discussing the pros and cons with the chief information security officer (or similar responsibility) before making a decision.

Email is still the most common channel for opportunistic and targeted attacks.

Gartner 2020 Market Guide for Email Security

If the IT security team proceeds with this program, there’s a few things they can expect. Twice a year, employees receive a faux ransomware email (without warning). Staff will either:
a) Ignore the email or mark it as spam / junk.
b) Ask about it or forwarding the email to the tech team inquiring whether it’s legitimate.
c) Click on the link / attachment that would normally contain ransomware/malware. The link and/or attachment should indicate that they should take a cybersecurity training and where to access that training.

Different responses to the test will collect varying data and wield different responses to how successful the training was. For a productive program and to limit resistance or disapproval, always plan out each project test from start to finish. Consider these 4 concepts:
1) Do your research. If your agency decides to proceed with this activity, prepare for opposition because studies show contrasting results on test effectiveness. For example, one study showed training wears off after several months [retraining is needed], others show that it’s only perceived to be helpful. There’s also strong arguments against the practice of attacking employees which may create a toxic environment.
2) Focus group all trainings required by the organization before it’s shared with the larger community. If the training is contracted out, a group of employees with multi-disciplinary and multi-cultural backgrounds, who don’t have extensive tech experience, should provide feedback. They may recognize questions which need to be answered, contradictions, or issues the IT team overlooked.
3) Focus group the security test for feedback before emailing it to the larger organization. The small group of employees may find the language informing them that they did not follow security protocols was accusatory, the ransomware/phishing emails are similar-enough to be easily identifiable, or errors in the email were either too obvious or too subtle.
4) Mandated training and security tests should come from the top-down. Get your colleagues and leadership on board by presenting a summary of the costs and benefits. They may need to be reminded that in a ransomware attack, agencies lose money, customers, and reputations.