How to Get Your Company Invested in Phishing Simulations and Training Programs
Hackers breached a Virginia bank twice in eight months. Total cost: $2.4M.
The heists invoke the idiom, fool me once, shame on you; fool me twice, shame on me.
In 2018, phishing went mainstream because companies didn’t widen defenses beyond perimeter controls that block and tackle -- even after an attack. Businesses of all sizes need to take heed that it’s never been easier for scam artist to launch convincing, targeted campaigns, automated on a global scale to exploit people’s social instincts.
When it comes to anything bad happening, there’s often a sense of “that will never happen to me”...until it does.
Phishing is ubiquitous, so there is no denying that it will happen to someone within your organization -- it’s not a matter of “if,” it’s a matter of “when.” Despite accepting this fate, there can still be pushback within organizations when it comes to phishing awareness and defense.
The problem is, to run a phishing campaign you have to impersonate malicious actors, which may leave employees feeling “tricked” by their own organization. This can lead to common excuses and pushback, including:
It doesn’t comply with HR policies
It will impact productivity because employees will feel uncertain about emails and whether it’s part of the simulation/campaign
The simulation email looks too similar to an internal email already in use
4 Steps to Convert Non-Believers
Excuses are bumps in the road and shouldn’t derail you as security officer, CISO, or director or IT from achieving a wider security culture in your organization. Seek support from your senior management, share the use cases online and try using the following four steps to convert anti-phishing program non-believers:
Communicate and Educate - Whenever there is a disagreement, communication is key. Phishing simulations are no different. If the excuse is that employees will feel uncertain, then take the time to explain the importance of an anti-phishing program and why the business has made the investment. Educate employees about how the skills they gain will help them protect their personal information.
Provide a Plan - It can be easy to say “no” to an idea that isn’t backed by a plan. Before approaching leadership about an anti-phishing program, be sure to think through unintended consequences and outline a plan for each. If productivity is a concern, you may want to consider simulations for the business areas that are most susceptible to phishing and provide a training or quizzes for the other departments.
Make it Fun, and Never Shame - It’s human nature to be competitive, so use that to your advantage. Present phishing simulations as more of a game or challenge to make it appealing. Which employees can be phished the most without clicking on the bait? With simulations you’ll be able to answer that question and publish the results. But no matter what, there should never be any shaming involved. If an employee doesn’t recognize a phishing email, provide (online) training to improve their confidence and willingness to report incidents.
Work with HR - If Human Resources is the gatekeeper, involve them in the process from the start. Offer real examples like the Virginia bank to ensure HR understands the massive financial and sensitive data loss that a business can suffer as phishing attacks become more sophisticated and evade traditional defenses.
Don’t Shy Away From Getting Approval
Seeking approval for anti-phishing programs can seem unnatural. After all, you didn’t need non-technical leadership to grant permission for your multi-factor authentication or next-generation firewall other than as a budget item. But, this security method is in a league of its own since it reaches every part of the organization -- and actually bypasses some existing security prevention.
Depending on the culture of your company it may be an easy sell after a little legwork in explaining the importance of phishing protections. For everyone else, we recommend you are always prepared to answer questions around cost, value, risk, and implementation. If you don’t have the answers, Edgeworx can help. Our security team works to develop individualized strategies that educate and test end users through automated vulnerability simulations and company tailored phishing campaigns.
Contact us today at +1.647.793.4731 to discuss how we can help your employees protect themselves and deliver actionable reporting metrics to produce to company leadership.