Page 15 - Cyber Defense eMagazine - September 2017
P. 15

Phishing Yourself: The Finer Points

               Before you start gleefully sending complex phishing emails to your own employees, there are a
               few important things to note. For start, this type of program isn’t something that can be quickly
               rushed into if you want to see a long-term improvement in employee security behaviors.

               To get you started, here are a few things you’ll want to consider:

               1) Getting sign-off from upstairs

               Changing  employee  security  behaviors  isn’t  an  overnight  fix.  In  order  to  see  significant  and
               lasting improvements, you need to be consistent over the long-term. Yes, you can expect to see
               a substantial improvement within just a few months, but if you don’t want to see your employees
               slip back into their old bad habits you’re going to need to stick with the program over time.

               And what does that require? Support from above, specifically in the form of financial investment.

               Make sure you take the time to develop a  strong business case, consistently and accurately
               track  your  program’s  ROI,  and  provide  senior  management  with  an  ongoing  series  of
               performance reports.

               2) Make success easy

               When most organizations think about phishing defense, they think how great it would be if users
               simply  deleted  malicious  emails  whenever  they  arose.  In  reality,  though,  this  is  not  the  best
               outcome.

               Instead,  what  you  really  want  is  for  users  to  report  malicious  emails  to  your  cyber  security
               experts. This  gives  you  the  opportunity  to  quarantine  other  emails  from  the  same  campaign,
               adjust your security controls to catch similar malicious emails in the future, and even provides
               you with additional material to aid in the production of future phishing simulations.

               But in order to gain all these benefits, you’re going to need to make the reporting process as
               easy as possible. To that end, I suggest adding a simple report button directly into your users’
               email client.

               Don’t be fooled, this is not a trivial step. The harder it is for busy users to behave the way you
               want them to, the less likely it is that they’ll do so.

               3) Train at the point of failure

               When  you  first  start  phishing  your  users,  you’ll  notice  two  things.  First,  they’ll  improve  very
               quickly. But second, at the beginning, they’ll fail a lot.

               But, and this is important, failure is not necessarily a bad thing. Nobody ever learned anything
               from winning all the time.

               Whenever a user “fails” a simulation, they should immediately be directed to a relevant training
               page, preferably one that includes several different types of media. Video, audio, images, and
               text are all great mediums for learning, particularly when they are combined on a single page.



                    15   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   10   11   12   13   14   15   16   17   18   19   20