No time like the present for running an ethical and effective phishing simulation

No organization in any industry is immune to a phishing attack. As organizations reduce their office footprints and the world of work has evolved into the now normal hybrid and remote models of working, organizations are wide open to cybersecurity attacks. This hybrid model of more flexible working is likely to be on the increase, and according to CIPD, 85 percent  of employees want to split their hours between the office and home, while 40 percent  of employers cite hybrid working as their new operational model. 

Workplaces are reeling back in their employees as the pandemic eases up and over two-thirds of organizations are expected to adopt a hybrid working model, Amid the excitement of back to work, cyber vigilance may experience a lapse among users. The threat actors target chinks in an organization's security armor as new apps, devices and user touchpoints are added into the tech ecosystem, providing more surface points for attacks. This means, if you haven’t already started planning your security prevention, there is no better time to refresh security training.

Security is like insurance, and anything less than the most robust security plan isn’t worth the investment. Many organizations don’t understand the reality of their level of exposure to an attack, the rapidly sophisticated levels of attacker intelligence, and what the scale of a potential attack could mean for their operations. The consequences of a phishing attack could mean being unable to trade for a few months, or -- in some extreme cases -- even the end of a business. Security attacks are not the preserve of the financial services industry either -- organizations in education, healthcare, and the public sector are equally as susceptible to hacking or phishing scams.

Among other security breaches, phishing is the cause of data attacks in 36 percent  of cases. And since 95 percent  of organizations claim to deliver phishing awareness training, it’s clear that effective training to avert phishing scams is not in place. Running ethical and effective phishing solutions sets an organization up to close any gaps in vulnerability.

Getting started and setting objectives

Phishing awareness training is a necessary reality check for tech teams and plays a fundamental role in ensuring an organization's business resilience. This is because:

• Phishing attacks are becoming more sophisticated and increasingly damaging. It’s vital to ensure every user is vigilant to a phishing scam.
• Ransomware attacks have increased by 148 percent  since the pandemic. Their most likely distribution method is via phishing emails.
• Hybrid working has increased the complexity to ensure all users are prepared for phishing attacks, as business networks constantly change

The most effective and instant starting point is to carry out a phishing simulation test. This involves the IT department setting up a fake phishing email, which targets a workforce. Simulations vary widely from a colleague's help requests, to salary emails or flagging an unpaid invoice. This real-life road-test of employees’ responses to a potential scam will provide actionable insights for security managers on how to bolster their network security.

How to set up and run a phishing simulation 

1. Plan and run a guided session to build vigilance around cybersecurity, ensuring all employees are empowered and engaged.
2. Set up an email for reporting phishing scams. Employees can flag suspicious communication, so that it’s clear when users have taken action
3. Work with an expert to create valid and ethical scenarios. There is a fine line between creativity and cruelness; a solution such as Cybersecurity Officer as a service (COaaS) has simulation testing included in their service stack.
4. Set up a simulation schedule. Not regularly enough to be predictable, but enough simulations to report effectively on the outcome. Once a month is suggested.
5. Select target groups on rotation. Breaking down your Active Directory into groups can randomize targets for simulations, and maximize chances of not outing the simulation and getting a realistic response.

How to bait your team ethically

Phishing simulations have in the past been challenged on the basis of ethics. Whilst it’s imperative that an organization runs these simulations, it’s typically poor management of these tests which get it bad press. Some tips to ensure any simulation stays within the guidelines of acceptable include: 

• Keep the proposition professional. Personal life or health issues are too sensitive
• Never use an employee’s name or image. Employees should not be referenced or implicated
• Check news stories before choosing your subject. Timing around a sensitive news story could create a negative impact

How to get the most impact from phishing simulations

An effective phishing simulation outcome is where users feel a positive response to the simulation, whether they fall short or pass. The ultimate aim is to build confidence among workers. Therefore, post-testing evaluation is a key process to action, and in the right way. If a user feels they have been drawn in by a phishing scam, they may feel embarrassed, ashamed or even fearful. These feelings could discourage future tests or create feelings of negativity towards their employer.

A best-practice follow-up approach should include:

• Confidentiality -- All data relevant to the testing process must never be disclosed
• Transparency -- When the test is complete, inform users of the test, reminding that responses are confidential
• Clarity and empathy -- Actively engage and empathize with users that have failed, remaining unbiased to communicate what went wrong
• Strategy -- Follow-up with advice and next steps, to support users
• Pragmatism --  Whilst the aim is to fine-tune user skills to reduce human error, be ready to take immediate action if a fail reveals a clear need to bolster security software.

Taking the first steps in user training with phishing simulations is a positive tactic in cybersecurity, and could make the difference between a regular day in the office and sitting powerless, in the event of an attack.

Image credit: Maksim Kabakou / Shutterstock

Gregg Mearing is Chief Technology Officer at cloud-led managed services provider Node4.