Employees at Picatinny Federal Credit Union recently received an email from email@example.com with the subject line “re: bank details confirmation.” It looked like a routine email for a financial institution, but those who double-clicked the attached invoice were rewarded with a stark break from their regular workday.
They were directed to a page explaining that they had fallen for a phishing attack, but they were lucky — it was only a test. “We’re in the financial industry, so one of my big jobs is to stay in front of as much of this as possible,” explains Rich Engle, Picatinny FCU’s director of IT. “It’s like a fire drill. As an organization, you have to practice what to do if there is a breach.”
Businesses across industries erect security defenses ranging from firewalls to intrusion prevention systems, but such technologies don’t protect organizations from one of their top vulnerabilities: their employees. Many have responded to internal threats by instituting training solutions that educate, test and track employees on their success or failure at avoiding phishing attempts.
MORE FROM BIZTECH: Phishing is only one of the ways hackers exploit employees. Learn more about solving the people problem.
Train Employees Effectively to Keep Phishing at Bay
In a recent survey of 1,100 organizations conducted by security awareness company KnowBe4 and ITIC, a research firm, 86 percent said they conduct randomized phishing simulations. In fact, phishing is such a hot-button issue that 65 percent of respondents gave feedback through the survey’s optional essay question, compared with the standard response rate of 10 percent or less, says Laura DiDio, principal of ITIC. “There is obviously a heightened awareness about this problem,” she says.
“As an organization, you have to practice what to do if there is a breach,” says Rich Engle, IT Director of Picatinny Federal Credit Union. Photography by Andrew Kist.
Picatinny FCU trains employees on phishing attacks annually, but before implementing Cofense’s PhishMe solution in summer 2017, the credit union was making up examples of attacks and presenting them as hypothetical situations. Now its tests use real-world phishing scams. “That helps drive the message home, because I can say, ‘This actually happened,’” says Engle.
A simulated attack is also more effective than a training session, he adds. “That real-life scenario is invaluable, as opposed to once every quarter sitting in a conference room and being told, ‘Phishing is out there. Don’t open these emails.’”
Businesses Use Past Breaches as Learning Opportunities
Before launching the first PhishMe campaign, all Engle had to do was add the IP addresses for the whitelist and configure the spam filter so it didn’t block the test emails. Once that was done, Engle began launching simulated attacks randomly, at least four times per year — more if he saw an uptick in attacks or heard about them in the news.
PhishMe updates the simulations frequently so that employees don’t learn to spot them. “If they were the same old emails, it wouldn’t have extended value,” Engle says. When employees click on links in phishing simulations, not only are they led through training, but the program reports back to Engle who opened the emails, who double-clicked the links and who clicked through pages within a link.
Some people are embarrassed that they fell for the scam, while others feel tricked. But Engle explains that they’re better off being fooled by him than by a malicious actor. “Hackers work very hard not to have to get a legitimate job,” Engle notes. “At the end of the day, I think everybody gets it: Every employee is a potential breach point.”
Like Picatinny FCU, Patriot Software uses real-world scenarios in its simulated phishing attacks, but not only from vendor templates. The company trains employees to spot phishing attacks by telling them about ones they’ve faced.
For instance, a few years ago, an employee got an email from Patriot CEO Michael J. Kappel, who was out of the office, asking him to send over workers’ W-2 forms. The employee began preparing to send them when a colleague questioned what he was doing. Ultimately, they decided to ask the CEO if the email was really from him.
“We had no idea how vulnerable we were,” says Elliot Bailey, principal systems engineer at Patriot, an accounting and payroll software firm based in Canton, Ohio. “We’re definitely way better off now.”
MORE FROM BIZTECH: How to use hackers’ tactics to create a cybersecurity culture.
Build Trust Around Security Awareness
Bailey launched a security awareness program after attending the 2016 annual conference by Proofpoint’s Wombat Security. But the program got off to a slow start because he was more focused on securing systems than educating users. So, when Hannah Fricker, who had recently started with Patriot in a help desk role, showed an interest in the program, he put her in charge of security awareness.
“It’s not just a techie role,” he says. “Users need to trust and talk to this person, and Hannah’s definitely friendlier than me.”
Once she took over the program, she set out to build trust with Patriot’s 130 employees. “People need to listen to our messages, but we also need them to report suspicious emails,” Fricker says.
Wombat provides a PhishAlarm button that Patriot deploys as an add-on within Gmail, and the system ranks messages so that Bailey and Fricker can review the most likely phishing attacks first.
Patriot breaks its security awareness program into two semesters per year, with the first month dedicated to assessment to get a baseline of workers’ knowledge. From there, they conduct online trainings every other month and sprinkle in random simulated phishing attacks followed by targeted training for those who click the links, explains Fricker.
“We try to make everything positive,” explains Bailey. “We’re not here to punish. We’re here to help. We’re all in this together.”