Phishing simulation programs, when well designed, can be an effective way to help educate employees about the importance of information security and phishing attacks. However, they also run the risk of alienating employees who feel as though the security team is out to get them or that their employer is putting them through constant tests for no reason at all.
For most employees, the phishing program is the most frequent (or only) contact they'll have with the security team, and how that program is run can heavily impact their opinion of the security team (and how willing they'll be to work with the team in other cases - like assisting with security incident investigations). That also provides an opportunity to pro-actively create a positive relationship with employees who otherwise wouldn't have a positive opinion of the security team.
Whether you're starting a program from scratch, re-visiting an existing program, or running a well-established program, there's always room to improve.
Increase the frequency of simulations: If your phishing simulations are less than monthly, increase the frequency. In one experiment done by Rapid7, where they launched three increasingly difficult phishing simulations over a short period, they found that folks who fell for the first one or two phishes were significantly less likely to fall for the final, most sophisticated campaign.
In other words, the act of falling susceptible to a phishing email made people may closer attention to email. Essentially, the simulation itself served as the moment of learning. Similar experiments have found similar results - that more frequent simulations increase user awareness. That's why I typically advise companies to send monthly campaigns; it's often enough that people remain vigilant, but not so often that it tends to frustrate people.
Add recognition: Much research has been done on the 'game-ification' of security awareness programs, essentially boiling down to the idea that finding the fun (prizes! winning!) in something not particularly fun (phishing awareness training) can aid in knowledge retention and increase engagement. Recognizing employees who do the right thing - either a selection of employees who report your scenarios, or employees who report particularly tricky phishing emails - can be a great way to raise morale, and for employees to think of a phishing program as more than just an annoying test from the security team.
This can be easy (recognizing employees on an intranet site or sending a congratulations email which cc's their manager) or more involved (giving out small gifts or prize drawings such as coffee giftcards or mugs with slogans like 'no clicks given' or 'hooked on phishing'). This step is also key to forming a positive relationship with employees. If phishing simulations become a game for people to 'win' it's less likely to be resented by people who feel as though it's an un-winnable test.
Try more sophisticated phishing lures (as long as they're representative of the emails your employees are receiving). As experiments like Rapid7's have shown, emails which folks fall susceptible to can raise their awareness of other phishing emails. This can help people recognize more sophisticated lures and better prepare them to face real threats.
Techniques to try: buying a few typo-squatted domains, spoofing your own domain, or adopting other techniques used by sophisticated adversaries. It's particularly important to tie the education associated with these simulations to real life emails that have inspired them in order to continually reinforce the threat real phishing emails present, and to help employees understand why they're receiving difficult phishing emails (and that it isn't just a sadistic test designed by the security team).
Send spear phishing emails to targeted groups. Often it's difficult to send sophisticated emails to the entire company and still make them reflective of the types of real phishing emails your employees are receiving. Instead, review the phishing emails your employees are reporting and industry trends to determine which teams/departments/locations are most in need of targeted education.
Typically, I send a series of three, increasingly difficult spear phishing emails to the targeted group. After the scenario concludes, I follow up with an email for all those who were targeted, with an explanation that this is a special scenario outside of the normal, sent to a select group who were identified as frequently targeted by real threat actors. If there's sufficient interest, this may also be followed up with a blog post or announcement detailing the methodology for how the targeted groups were selected, the emails crafted, and the goals of the campaign.
In these cases, I've found similar results to Rapid7's experiments, that more complex and realistic phishing emails tend to raise employee awareness, resulting in higher reporting rates (compared to the rest of the employee population) for several months following the spear phishing experiment (typically between 20-25% higher reporting rates than the employee population as a whole).
Re-evaluate your program. Every program can plateau, and determining how best to move forward is often a matter of consulting the people who interact with your program the most frequently. In the past, I've held small focus groups and conducted one-on-one interview sessions with folks across the organization to solicit feedback. These sessions were often illuminating, helping me identify problems I hadn't known about, and finding causes for problems I did.
For example, when I was observing relatively high and stagnant susceptibility rates and low reporting rates, I was able to use focus groups and interviews to determine whether this was due to a lack of education (were folks unable to identify phishing emails?) or appropriate motivation (did folks not care about identifying phishing emails?). This type of effort makes the most sense when your program is at least a year old (so employees have a strong impression of the program to report on) and doesn't often make sense to repeat frequently. If possible, it's helpful to report any changes made back to those you've solicited feedback from so that they understand you're taking their feedback seriously and value them as a member of the team.
Collect continuous feedback. Similar to an entire program re-evaluation, providing a place for constant feedback can help build a relationship and improve your program. Simple, anonymous surveys added to the bottom of all communications from the phishing team, asking a few questions (did you get the response you were looking for? was it within a reasonable timeframe? how do you feel about the program? etc.) can ensure you're prepared for complaints. Offering a single point of contact (such as a phishing inbox) can filter those complaints directly to you.
If possible, tasking someone to regularly go through feedback and respond can help relationship build. Often, someone lodging a complaint just wants a person to hear and acknowledge it, more than they expect change.
Try a new method of education. In the past, I've found narrative form blog posts describing various types of phishing (text-, voice-, social media, etc.) or specific phishing campaigns to be an engaging way to make cyber threats easily understandable. Stories like Wired's on NotPetya, The Cuckoo's Egg, and Countdown to Zero Day are all great examples of well-researched, approachable tales of cyberattacks with a general audience in mind.
Other options include monthly newsletters (less engaging) and roadshows with security team members talking about real attacks an organization has seen (very engaging). Alternatively, try contests where all employees receive a number of phishing emails (perhaps 6-10) over the course of a month and anyone who successfully reports all of the emails receives a small prize (ideally swag they can keep at their desk to increase word-of-mouth awareness). These are quite popular, though marketing them appropriately is key (anyone who isn't aware of the contest is likely to be annoyed or panicked at the number of phishing emails they're suddenly receiving).
Increase the number and type of metrics you're collecting. If you're already tracking susceptibility rates and reporting rates, try breaking them down into more granular categories like age brackets, divisions/teams, or job functions.
Or, try tracking the number of repeat clickers in order to identify where the problem areas are. Ideally you should see most of your employees fall in the 0-1 clicks (per year) category, with a small section in the 2-4 clicks category, and an even smaller group in the 5+ clicks category. More granular tracking can help you target education or spear phishing exercises to those who need it the most.
Any other ideas on improving phishing programs? Please share them with me - I'm always looking for ways to improve!
