Let’s be open about phishing14 January 2021
This article is taken from our forthcoming white paper, ‘Your people and your risks: finding balance in the new normal’ in which we take a step back and look at how the behavioural landscape has shifted so dramatically over the last year.
In this extract, we apply this approach to a concern common to all cybersecurity professionals — phishing.
We’re all told repeatedly that what we can’t measure we can’t manage. And if there’s one thing cybersecurity professionals are desperate to manage, it’s the myriad-headed beast called phishing. After all, no matter how many heads are severed from this most dominant of threats, new mutations are ready to rear up to take their place.
So, we measure the hell out of it. Or rather we measure a facsimile.
We throw sim phish campaign after sim phish campaign at our staff. Fake hydras with which we hope to ‘battle prove’ our colleagues while satisfying our need for data. Then we pore over the entrails of:
Bad apples caught out.
But the thing we often forget in our quest for metrics is that such measurement is no passive act. You’re measuring more than just exception events, port scans or patch latency. You’re measuring people. And just like the tailor’s tape that causes a sharp intake of breath when too cold, they will notice. And react.
Engage before you measure
All this means you need to think carefully about your approach when gathering your people-side data. If your ‘ethical’ phishing is conducted cloak-and-dagger – with too little regard for colleagues deceived or the tone taken with the follow-on training – what you gain in graphs you’ll lose in something more precious – trust.
That’s a critical commodity you can’t afford to squander, especially in the midst of a pandemic.
As we’ve outlined in our forthcoming white paper, the need for measurement to answer the question ‘Where on earth am I now?’ has never been greater. It’s vital you understand how your security culture is bearing up in this time of crisis. But it’s just as important that you recognise that your people have never been under greater stress.
So, the need for sensitivity in your people-side metrics is as vital as the urgency in understanding the novel risks of a COVID-transformed world. Which is why recent research on taking a different angle to simulated phishing – emphasising the need for openness and maximising engagement – is so well-timed.
Cast-off the cloaks
The idea is to cast away the cloak and drop the dagger. Forget about maximising the realism of your campaign by keeping the audience in the dark. Instead, prioritise getting your people completely on board, by involving them in every step of the process. Be inclusive and open.
Techniques that can be leveraged in such ‘open phishing’ include:
Involving stakeholders in the design from the start, tailoring the content and cadence that will work best for them and their teams. The aim here is to build trust and gain insight.
Advertising the campaign upfront, making it known you’ll be recognising success publicly and frequently. This shows you respect your colleagues and need their help.
Using a gamified league table, with points scored for phishes correctly spotted (and points deducted for false positives). This should boost high-quality reports on phishing.
- Group support
Maximising crowd power, with a balance between collaboration and competition to suit your teams. The aim is to optimise the sharing of knowledge and learning both within and between teams.
Open phishing isn’t the simplest road to take. It requires tricky conversations and careful tailoring. It involves relinquishing some control. But the sharing of ownership, encouraging your people to own both the problem and the solution, will mean that you’ll have the crowd on your side.
Not on your back.
Doing so will also make your people an active defence. And who wouldn’t prefer a chainmail suit to a host of individual ‘weak links’, given today’s threat-heavy and volatile world?
Look out for ‘Your people and your risks: finding balance in the new normal’ which will be published in the coming days.