CyLab professor Jason Hong, an author of the study, believes the research findings still hold true today. “The only thing that’s really new is that there are a lot more communication channels [besides email.] Now people try phishing attacks on Facebook or Twitter, but the general theme is still essentially the same. We haven’t seen any major new innovations in phishing attacks, other than the attacker may have more information about you.”
While phishing simulation does provide that “Aha!” moment for many employees, it doesn’t solve all their security awareness issues, says Joe Ferrara, president and CEO of Wombat Security Technologies. “You have to follow that up with in-depth education.”
Pendergast recommends starting off by providing security education on a quarterly basis. Once you determine how many repeat offenders are out there, then “tailor your phishing exercises to your audience,“ Pendergast says. For instance, if the sales team is shown to be more susceptible to phishing lures, then send phishing simulations and reminders on a monthly basis.
He also recommends a quarterly refresh on other security awareness methods. “Maybe you’ve got a fun video about phishing that you put out in the first quarter. Then maybe do something on incident reporting in the second quarter. We know that reporting a phishing incident is just as important as not replying to them, so IT can identify where the threat is coming from and go after it,” he adds.
Employees learn faster with ‘conditions’
Famous American psychologist B.F. Skinner taught mice how to push a lever in a single try – when the lever dispensed food. He called it a “conditional relationship.” Companies use that same psychology today to reward employees who detect and report phishing scams, or sometimes even to penalize them for phishing blunders.
One company that is looking to drive down phishing incidents to below 1% has gone as far as to tie phishing failures into its compensation system, Ferrara says, referring to a customer. “When people do fall for the simulated attacks, they are actually looking at it as part of the methodology in their bonus formula,” he says.
Rewards (even small ones) are more common for employees who can detect real phishing scams. At safety science company UL LLC, when employees detect and report a phishing scam the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. “That goes a long way,” says Steve Wenc, senior vice president and chief risk officer.
Insurance provider XL Group created several videos around protecting company information, including from phishing scams, and issued a challenge to employees -- for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries. The campaign exceeded its goal of 10,000 views, raising $10,000 for the organization.
Sign up for CIO Asia eNewsletters.