Labels
Posted by Andrew Campbell

Shame and Compliance

Email Phishing, Vishing & Other Types of Attacks | Webroot

... Or how to properly embarrass your staff into following cyber policies.

First I apologize, this actually isn't a step-by-step play book on how to embarrass your staff into submission.  As an organization if you actually want to keep staff, shaming and embarrassment strategies shouldn't be a go-to practice.

In this article I wanted to shed some light on a topic and sprinkle a dash of my opinion on the topic of "phishing" your staff.

For those not familiar with the practice of phishing, essentially phishing is when you send an email or other communication to a target that looks legitimate however it is not and redirects the target to download something etc. etc.(insert "bad" thing here)

It's an insanely popular practice by criminals because of how effective it is.  I have seen a lot of phishing scams and honestly it is easy to see why people fall for it.  

They are convincing!

Then you tack on "Spear Phishing", a phishing attack that is specifically targeted at you (basically a more narrowed focus).  The probability of successful attack jumps.

In my career I have seen multiple clients fall for the scams.  They fell prey to obvious phishing and cleverly crafted phishing.

Either way it leaves people feeling like garbage.

This brings me to my point.  

Some organizations phish their own people.  Not for any nefarious reasons, but as "education."

It works like this, the organization embarks on an cyber education program geared at enlightening the masses on how easy it is to fall for a phishing scams.

On paper I get it.  Phishing scams can be a really good way of demonstrating tangibly that "yes, even you can fall for scams."  After the program runs a communication is sent out  saying that "20%" of staff fell for the scam.  This definitely would serve as an eye opener.

I am not trying to convince you that you should stop this, but I would like people to do is think about the folks that they are "scamming."

Yes the organization was not really compromised and yes people are more aware that phishing scams exist, but at a cost.

Phishing your staff embarrasses your workers and breeds mistrust.

That proverbial "gotcha" moment when the screen pops up on the employees screen saying "This was just a test, fyi phishing scams are real...stay safe!"  Don't forget the thoughts swimming around the employee's heads. "Do they know it was me? Are they keeping tabs? Will I hear about this again?  I'm supposed to know better....."

There has to be a better way.

Trust is an easy thing to break and takes a long time to build back up.

So what is the alternative? We still need to protect our assets from intrusion!

Be Proactive

This takes more work for sure.  A lot more planning and thoughtfulness will be implemented.  Here are some proactive ideas you could implement.

1. Lunch n' Learns:  A Ye old business classic.  Everyone in the office is generally available at a certain time? Hold an educational seminar teaching what phishing is.  You could bring phishing tests into the seminar here, make a joke about it.  "Oh no John! You got phished! See guys how easy it is"

If you have a distributed workforce this may or may not be easier, on Zoom your audience could be greater.

2. Videos: I think we are all accustomed to these.  Day 1 of new job, you get your access to approved company assets then you sit for 4 hours watching the compliance videos "Did you watch the whole thing?"  "....Yup"

As a day one tool, I would not rely entirely.  I would definitely have new staff watch a video on phishing but there is an even better method, staged video releases.

Have a series of phishing education videos (your own or curated) and release them every so often in a massive email blast, in a meeting, etc.  You could go as far as to have staff click "yes" that they watched it (I recommend this actually).

3. Gamification: Dear goodness this is a motivator.  In the classes I teach, if ever I am talking about a dry subject (I honestly don't think any of it is dry, but if I had to pick one that students fall asleep during the most it would probably be Active Directory AGDLP) if you put some degree of competition into it your engagement improves dramatically.

For example similar to option 1, you could give a "reward" to the person who is able to identify all of the phishing examples.  The reward does not need to be complicated, seriously even the very fact of knowing that you did better then your colleagues is a huge motivator for some folks.

Gamification is something that could be implemented in so many ways as well.  It leans well to creativity.  Look at your group and decide what works best.

Final Thoughts

Generally when orgs. release a phishing scam on their employees for the purpose of raising awareness of how easy it is to be trapped, I find that it poses a higher risk of creating animosity and mistrust between employee and employer.  

I believe you are better off being proactive and engaging with your employees, having a conversation.  Trust is easy to break and very difficult to build back up

Thanks

Andrew Campbell










Labels:

Popular Posts