We’ve all heard of (or worse been part of) a company with a super strict security team. If you fall for a phishing campaign, you need to report in person to the security department, where they ridicule or chastise you for your error, make you take remedial phishing training, and complete an online test, or worse, revoke your network credentials for a period. While this may be effective from a security standpoint, it’s detrimental to the overall health of the security program. See, presenting a punitive result from an action that is, to the end users’ perspective, simply trying to get their work done doesn’t foster knowledge or understanding: it’s simply an attempt at conditioning. This often creates a negative response and image for the security department - both from an interpersonal perspective, but also from a business perspective.
While it may be our job to keep the company safe, it’s also important to look at the other aspects of business that we affect overall. We can, of course, bust out the good ol’ CIA triad (confidentiality, integrity and availability) in this one and point to the last prong of that three-legged bar stool: availability. By impeding on a worker’s ability to get work done, they are less productive overall, because that’s what impeding on their ability to work does. But that’s kind of a no brainer... What’s more disruptive to the overall business is how the actions of the response effect the end users. Yes, from the time draining impact, but more importantly from the conditioning we are attempting to provide them. I want to take this moment here and remind or clarify something: we as the security team are not a profit center for a business - and if you aren’t building profit, you are a cost center. IT, Security, Janitorial staff, Office managers, all these groups help support a business’s employees in providing them with a service internally that (ideally) makes work smoother; cleaning, networking, organization, it’s all part of the foundation that helps the profit center employees work better.
It’s easiest to think of it like this: the profit center employees help customers, and as cost centers, that makes our customers the staff themselves. So, I pose that we should treat them like customers!
In business we all know the adage that ‘the customer is always right’ and we all know the wink and nod that goes with it, in that ‘the customer is sometimes right’, and that’s where I suggest we at least start from.
If we implement a punitive response to falling for a phishing campaign either self-implemented or attacker originated and punish our ‘customers’ when they make a mistake in a good faith effort to work, we are only biting the hand that feeds us, as well as weakening our overall security posture. What I mean is, if we are punishing our ‘customers’ when they do make a mistake, we are unintentionally conditioning them to distance themselves from us and creating a negative image of the security department, which will hinder further efforts and buy-in down the road.
Think of it this way, if a lab mouse in a maze knows that the third left turn down the maze will get them electrified from a strip on the floor, they will look for alternate routes through the maze or try and bypass the strip, right? People are no different. If a person knows that in reporting that they fell for a phishing campaign, they will get a 20-minute lecture from some ‘nerd’ who talks down to them for their ‘ignorance’ in something they probably don’t truly care about, and then homework from HR in the form of a web quiz and remedial training… Why would they report it? Would you? And what else wouldn’t you report? If it’s a hassle to talk with the security team, they will avoid it, I’ve seen it time and time again. And in my observations, this is especially true when the phishing comes from the security department itself as internal testing/training. When it’s presented that way and then ‘punished’ by the same department, it’s a real ‘gotcha’ for the employees. I mean, if every time you sat down to eat at a specific restaurant the staff dumped your food into your lap, you probably wouldn’t go there often. I mean, I wouldn’t.
Instead, why don’t we look at some other options that help to foster a “team-oriented high synergy” (gag) environment? What if I told you that we can help to make your overall business more secure, your employees more likely to respond and interact with the security department, and give you lower click rates for phishing emails?
It’s well known that rewarding positive behavior rather than punishing the unwanted behavior is more effective in applications of conditioning. Instead of dumping their dinner in their lap every time they make a security mistake, why not proactively train them with rewards?
One of my favorite, all-inclusive methods of presenting a reward system is the “gone phishing” method. It goes something like this: Set up a phishing hole mail box for your help desk/IT/security team and start in on your training, but put a fun flair on it. Allow and encourage everyone in the company to forward emails that they ‘suspect’ are phishing emails along with giving examples as to why they think so. Then near the close of the month, persons who have submitted legitimate phishing emails with solid phishing identification examples will be sent a bag of Swedish fish! Of course, you can replace this with a punch card for a free coffee after a few weeks streak or whatever your ‘customers’ penchant is. But getting buy-in by providing the employees with some reward that they can obtain will boost response considerably.
I love some gamification for things… In fact, most people do. For many people, there’s an innate want to compete. Another fun, if not similar, method (and one that generates a lot of interest because of that competitive urge) is what I call ‘Operation UFO”. UFO, of course, standing for “Unidentified Fishy Objects”. This method leverages that awesomely powerful urge to compete and lets your team leverage it for training…
Like “Gone Phishing”, set up a dedicated mailbox and have the end users send their phishing emails to the mailbox - again with why they were submitted examples (the more detail the better). And every week, month or given interval, present the ‘best’ phishing submissions with a little alien/UFO figurine (you can get a huge load of them from “online retailer X” for cheap). Encourage employees to then display the figurines on their desks/in their cubes/so on. You may be surprised to see how many employees will flaunt their UFO collection with pride. You can add an end of the year grand prize of something monumental like a placard award or a timely event with the coming raid on Area 51. This also gives you the chance to cull back all the old knick-knacks and reuse them if need be.
Both methods allow security a two-way communication street with the employees to foster further training within the emails on specific subjects that lack depth or detail. They also provide a reward based conditioning program that may be wildly more effective in the long run. This helps to build out awareness within your organization, and you may end up surprised at how often employees will ‘just stop by’ to (thinly veiled) ‘chat’ (for some tips and tricks on identifying fishing emails) opening the door for other training and education opportunities.
Any time you have the ability to open the doors of communication among non-departmental peers is an opportunity to invest in your own departments image. When the Security team is generally seen as a group that is protective of and investing in the business and its employees rather than laying down a punitive hammer and building walls, all levels of the organization’s security posture are bolstered. Not only enabling that all powerful buy-in corporation wide but raising overall awareness and education at all levels as well. And with the long net of the end users working alongside your team in the phishing boat, just think of all that information and threat intel you may be able to generate from patterns in the catches!