Justine Brown | October 03, 2016

The benefits of phishing in your own pond

Earlier this year, Atlantic Health System  circulated an email informing employees they had received a raise. The email said employees would earn the salary boost simply by replying to the message and providing additional verification information.

About one-quarter of Atlantic's 5,000 employees opened the email. Of those, two-thirds of them provided the information requested.

But the email was simply an internal test conducted by Atlantic to assess its vulnerability and establish a baseline measurement of employee susceptibility to phishing emails.

Phishing attacks are on the rise and more companies than ever before have been duped into providing sensitive or proprietary information. There were more phishing attacks in the first quarter of 2016 than any other time in history, according to the Anti-Phishing Working Group.

Cybercriminals generate an enormous ROI on successful phishing attacks, which has motivated the creation of increasingly sophisticated and creative phishing "lures." In response, a number of companies dedicated to helping businesses conduct mock phishing tests have sprung up in the past couple of years.

But is phishing your own employees a good method for improving security?

"Phishing your employees is one of the only ways to combat the phishing problem," said Haroon Meer, co-founder of Thinkst, the company behind Phish5. "Fighting phishing requires building phishing antibodies into the company, and the best results we've seen so far comes from internal education coupled with periodic self-inflicted campaigns to bolster the learning."

Businesses phish their own employees to achieve different goals. Sometimes it's motivated by a chief security officer to demonstrate to company leadership the breadth of the problem, which, in turn, can motivate additional security funding.

"Very little convinces people to act better than seeing in black and white that 35% of the organization just gave away their credentials," said Meer.

In some cases, a company may only conduct a one-time test. But other companies regularly conduct tests throughout the year to keep employees on their toes.

"This also allows them to spot trends and allows them to track progress over time," said Meer. Companies can also single out users who are repeatedly susceptible to phishing attacks, allowing for ongoing education.

"Organizations should regularly run tests for employees, to train them to be more observant and catch phishing attacks by doing things like reviewing email address, subject line, attachments and so on," said Santosh Krishnan, chief product officer at mobile security company Lookout.

Education is key

Mock phishing emails are only assessment tools, however. Education is the critical component required to improve employees' resistance to phishing emails.

"Simulated phishing attacks help end users understand they are susceptible to actual attacks, but without an educational component they haven't learned how to protect themselves," said Amy Baker, vice president of marketing at Wombat Security Technologies.

Automatically enrolling people in training within minutes or hours after they fall for an attack can be very effective at changing end user behavior, Baker said. But the type of training is also important.

"We all know that it is easy to zone out while watching video or slide-based training," said Baker. "Short, interactive training modules that are engaging and can be taken when the end user has time are most effective."

"Training also should not be a 'one and done' exercise," she said. "Customers with the most effective programs have a continuous cycle of assessments and training to help reinforce messages."

The internal campaigns work to educate users, but also allow companies to practice emergency response procedures. Then companies can test "how long did it take for the first person to report it to the help desk? How many people reported it? Did the reports cause the security team to scramble or did they block the offending sites quickly and quietly?" said Meer. "Like most things in life, we sweat in practice to avoid bleeding in battle."

The gamification of phishing

Phishing your own employees is not the only way to improve employee awareness of phishing and other security pitfalls. Gamification is another approach.

Wombat recently announced new dynamic reporting, leaderboard and gamification features to help increase an organization's ability to drive successful security education and awareness programs.

"When end users see their department or location is ahead or behind compared to others, it encourages training completion, resulting in higher engagement and awareness," said Baker.

"Without a way to compare users and implement a competitive program, security professionals struggle with engagement and participation. Therefore, we find that sophisticated security awareness and training programs utilize a great motivator —competition — to drive engagement and completion of training."

Combining competition in the enterprise with simulated phishing attacks to can drive behavior change, according to Baker.

"I don't see this as an either/or proposition, but really a 'yes to all,' using all of the tools available to create a strong security culture," she said.

For Krishnan, the more avenues companies use to increase awareness and knowledge of phishing and security overall — whether it's simulated phishing attacks, gamification or other methods — the better.

"Like anything in security, there is no silver bullet," said Krishnan. "We advocate for a defense-in-depth strategy that combines endpoint predictive threat protection, greater visibility and a strong and regular cadence of employee education."