The theme of day two of MapleSEC 2020 was the people-side of cybersecurity—specifically cybersecurity awareness training. CIRA had the honour of moderating two breakout rooms where attendees share tips and tricks from their experience in cybersecurity awareness training. The idea was to create a catalogue of successes and failures so others could learn. This is not a whitepaper on getting started, but a list of good ideas for consideration as contributed by the attendees— and some of them are pretty clever.
Simulations should be relevant—but not personal
One common best practice that came up was that awareness training courses and phishing tests need to be relevant and specific to your employees, like targeting their job role, industry, or unique details about your organization. However, there is a line that can be crossed when your tests become too personal and don't strike the right tone.
For instance, one organization used to run annual fireworks events on Canada Day. Due to budget constraints, they stopped this practice. After this announcement, they ran a phishing simulation that offered a cash credit so employees could go out and buy their own fireworks. It had a high engagement rate but also opened sore wounds among a small number of people. Overall, the campaign was successful in teaching employees to recognize and remember how hackers target individuals with specific details, and was deemed a success by IT and management. But the contributor used this example to remind everyone of the need to consider the test, but also its impact on people.
Another great example, that ended up as a viral Twitter thread, featured a prominent media company who had just laid off hundreds of employees. Soon afterwards, the company sent out a phishing test that offered bonuses to the remaining employees for their hard work. While in a vacuum this might be an effective template, the test was slammed as being callous and displayed the organization’s inability to read the room. The test backfired (hence the twitter thread) which damaged trust between IT and the rest of the organization. In this instance, it is likely that this campaign was set-up months ago and was automated, it was the timing that was unfortunate.
These stories illustrate why it is important to have clearly established rules of testing—knowing where the line in the sand is—and clearly communicating those to your employees. For example, salary and benefits are always a tricky subject. While these topics are obvious vectors for bad actors because sensitive financial information might appeal to snoopy employees, there can be negative repercussions. Every organization is different, and it’s important you have an understanding of what your culture will accommodate.
It is a generally accepted principle that you should think like the hacker and use information that they can have at their disposal, such as public information like your building’s name or things published on your website or social media accounts. That said, it is generally not a good idea to develop a phishing test based on internal information that nobody else would know. These types of attacks are extremely uncommon in the real world, and end up being too niche and difficult to actually provide a positive training experience. These types of tests are often a result of a team trying to “trick” their users and get a high click-rate, instead of focusing on learning outcomes.
Another example that was brought up was the use of real brands in phishing tests. The attendee who shared this story said they stopped using them because too many employees were calling the brands to complain! For small organizations, this isn’t the biggest concern, but if you have tens of thousands of employees it may be a genuine risk.
Food is a powerful tool in the right hands
One person cited that they had annual pizza lunches but abandoned them because people came for the pizza but then failed horribly when tested. In other words, food as a motivator to attend and benefit from training was not successful.
However, one tip was based on the popularity of food to get people to pay attention to the email. The IT manager said, “It is surprising that our employees get paid so well yet still get really excited about free pizza when it is part of a phishing simulation.”
This got underscored by another attendee who put up posters. The most successful ones were a fake ad for free donuts in the cafeteria to drive home the message about how easy it is to get tricked. There were no donuts, but you can bet the message read and most importantly, talked about and remembered. Then when followed-up with a food-related simulation, results improved.
Training needs to be ongoing and year-round
A frequently raised best practice that we firmly believe in is making training ongoing and year-round. It helps to make the training engaging through alternative non-email methods like social engineering calls, text messages, and USB drops.
This is because training isn’t just about phishing awareness. One IT manager that served government employees had a problem with laptops containing sensitive data being left in people’s cars. The solution is partly solved with encryption, but from a PR perspective, if public data, even encrypted, is stolen then it can be a media frenzy. This illustrates that training should include physical as well as electronic risks.
Another attendee shared that they folded device security and cybersecurity awareness training into their normal disaster recovery plan. To them, what to do with your device in the event of a fire or emergency is equally a cybersecurity risk as it is a physical security risk. Marrying these two is extremely important, and can also improve engagement.
Another issue came up around gamification and how employees will compete to see who can recognize and report the most phishing emails. This is very important because when you reward behaviour then it can incentivize people to change. In this case, the behaviour we want is to have employees report real phishing attempts and not just the tests.
Unpacking something difficult - risk management as a positive and not a negative
There was one topic that came up towards the end of the session that probably merited a longer discussion. One attendee said their organization used phishing and training data to put users into a “bucket” and to treat them differently. What did this mean?
If an individual user or team exhibited risky behaviours, then the first step is evaluating what information and systems were at risk and then to take appropriate action to limit access. In short, the notion of evaluating individual and departmental risk is part and parcel of IT security management. It is equally critical to use data to make risk-reward decisions. But, when presented in this context, it took on a negative connotation. How an IT team manages risk without alienating the users is a rich area for discussion.
A few tips and tricks from CIRA
Our own Eric Normandin, ICT Security Analyst, participated in the discussion to provide his expertise on how to conduct successful training:
- Tell employees that they will be tested before you even start testing and begin with training
- Tell employees how many times they will be tested initially, and when they start so they are familiar with the process
- Any higher-than-normal failures should be communicated across the company but not name and shame individuals. Remember that even if you aren’t naming them, people who failed a phishing test, know it and so keep the message educational and positive.
- Make training engaging and fun whenever possible
- Rules of engagement should be understood by everyone, including management
- Do phishing tests that are fair and realistic—ones that would actually target your organization and not based on specific and unfair insider information
How to get started with phishing tests and training
One final question that we received was how an organization with only a handful of employees, and no IT team, could start educating staff on cybersecurity awareness, or conduct phishing tests. In my opinion, the answer boils down to how much time and expertise you have to spend on this.
If you’re technically proficient, there are free, open-source phishing test tools out there that you can look up. The limitation with these (other than setting them up) is that you have to manually create every phishing campaign you send and so you are balancing a decent amount of effort to execute and measure against the alternative of licensing something..
There are many paid tools out there that make it easier to send frequent phishing tests, and even let you create your own and many have a price that is suitable for small businesses. These tools often combine phishing testing with awareness training in one package so you have a complete experience for your employees. (Disclaimer: CIRA has a platform like this available that you’re more than welcome to check out.)
As for training, we’ve created a free course that covers the basics of cybersecurity awareness for remote workers—but it’s applicable to all workers. If you have no training in place today, start by sending that to your employees to get the ball rolling. But remember that training that is ongoing and has reward mechanisms is proven to be significantly more successful than one-off pizza lunches.