Five ways to make a successful anti-phishing campaign
In the company’s latest ebook, A new approach to fake phishing, published on August 24, 2022, CybSafe identified four significant shortcomings of traditional simulated phishing: “They take people by surprise. They are used to assign more training on checkboxes. They focus on the wrong metrics. It’s too short.
First, the company said that while it may seem counterintuitive, simulated phishing campaigns should never be conducted in secret. It can alter employee motivation and create mistrust, and it doesn’t teach people to recognize the signs of phishing.
“It’s better for people to think they’re still being phished. Because they are, by real criminals,” the company states.
Additionally, anti-phishing campaigns should not be the sole basis for assigning new training to a “gun to the head” approach, argues CybSafe. First, the traditionally used metrics, click-through rates and report rates, don’t explain “why” people click — and fail. Additionally, “it causes people to associate a failed phishing test with training. It makes training feel like a punishment.
CybSafe promotes a four-step, “people-centric” approach based on the Agile methodology. Here is Infosecurity The magazine’s takeaways from the company’s ebook.
1. Set specific goals and a long list of critical metrics
The first step in CybSafe’s recommended simulated phishing method, “Define Your Goals and Planning,” begins by listing the goals that security decision makers want to achieve. The ebook gives examples such as “I want to understand the types of email my employees are most likely to interact with” or “I want to increase my employees’ ability to detect and report real phishing”.
These two objectives, for example, are very different. While in the first case security decision makers will focus on the impact of email categories, origins and influencing techniques on click-through rates, in the second case they will more likely aim to increase the rate and accuracy of reporting malicious emails from victims.’
These objectives can be combined into a single campaign. But to answer it, measuring click rates will be insufficient, believes CybSafe.
Here are some other measures to consider:
- Confirmed security incidents related to phishing
- Phishing security incident detection time
- Phishing near-misses
- Number of employees asking for help determining the legitimacy of an email
- Violations of phishing-related policies (such as sharing sensitive information via email)
- The total number of repeat clicks
- Employee satisfaction and attitude surveys
- Direct employee feedback
- Open rate and engagement with phishing communications
2. Involve top management with financial indicators
Once the relevant metrics have been carefully selected, the planning stage is not over. For a successful anti-phishing campaign, security decision makers need to involve people from all areas of the business, including HR and legal teams and senior management.
To engage senior executives, CybSafe recommends using two different arguments. First, “make sure [they] understand the risks” by showing them phishing statistics. “Verizon Data Breach Investigation Report is the starting point,” the ebook adds.
Then, “show them how much money your campaign will save” by calculating some of the following numbers:
- Single Loss Expectancy (SLE), the average amount lost per phishing attack
- Annual Loss Expectation (ALE), the loss caused by successful phishing attacks each year
- Modified Annual Loss Expectancy (mALE), the loss caused by successful phishing attacks each year after you implement your security program
- Return on Security Investment (ROSI), the percentage your security program is expected to save each year
3. Establish a reporting mechanism
The second step of the CybSafe method focuses on campaign design. The top two priorities here are adding a report button that any employee can press as soon as they encounter what they think is a malicious email and automating a thank you response.
“Everyone needs a little recognition, and you’ll be surprised what a show of gratitude can do to boost motivation and reinforce good safety behaviors,” the ebook reads.
4. Analyze data to measure technical and emotional drivers
To analyze data from reports, you don’t necessarily need fancy tools – “a great free option is GoPhish […] and a good old spreadsheet,” the ebook reads.
However, CybSafe stresses the importance of extending the analysis to measure not only simple metrics, but also emotional factors – understanding why someone clicked on that email.
CybSafe suggests three ways to monitor this directly on phishing patterns, with point-of-click surveys that appear when someone clicks on a malicious link or with follow-up surveys that you send later in the process.
5. Define custom training
Once you’ve launched your campaign and analyzed the relevant data, it’s time to act on what you’ve found. Here, CybSafe recommends deploying tailored training – or what it calls “smart” training. “The extent to which you make your campaign ‘smart’ is up to you…and your resources. If you can only support department-level training, do so. If you can only customize by country, customize by country!”
“Don’t use personalization as an excuse to postpone your campaign. Some customization is better than no personalized training,” concludes CybSafe.
Finally, CybSafe wanted to practice what they preached and invited social engineer James Linton to phish Al Parisian, a former chief information officer (CIO) of several insurance organizations and current senior analyst at Celent. The experiment was presented in a webinar hosted by CybSafe on August 24, 2022.