Is there any doubt that phishing is a major threat to all of us? Here’s what Verizon’s 2015 Data Breach Investigations Report (DBIR) said about phishing:
In the 2013 DBIR, phishing was associated with over 95% of incidents attributed to state sponsored actors, and for two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing. The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network.
Or, drop a banking Trojan on the computer in the hopes of stealing some money.
What’s the success rate for phishing attacks? The 2015 DBIR said:
23% of recipients now open phishing messages and 11% clicking on attachments.
Clearly, we need to increase employee resistance to all forms of social engineering attempts. But how? And, what are the risks of taking action?
Running your own simulated phishing campaigns seems like a great idea. The effectiveness data published by the vendors is compelling. Judging from what I’m seeing and hearing from IT people over the years, though, there’s an objective missing from the project and operations plans: The campaigns need to be done in a way that trust between employees and management is enhanced, not damaged.
Here are the top risks that I can see:
- Whether it meets the legal definition or not, could employees feel the simulation is a form of entrapment?
- Will employees feel resentful of management if the campaign is “deceptively” launched on them with no warning? Will any feelings of shame or embarrassment cause resentment?
- How effective will further coaching or training to resist phishing be if the employee feels resentment?
- Should employees who repeatedly fail simulated phishing exercises be coached or disciplined? If so, who should do it? Their supervisor? The CISO?
- What if an employee actually causes a data breach by being phished, and you have records of that person repeatedly clicking on the simulated phishing links over a period of several weeks or months with no action taken by management. Will that undermine management’s ability to discipline or fire that person?
- Could an employee, who gets disciplined for clicking too much on the simulated phishing links, be able to successfully defend themselves against management based on how you conducted the campaigns? Such as a man claiming he was unfairly targeted by a message that would naturally appeal more to men than to women?
In the course of researching for this post, I was unable to find any documented cases of people being disciplined due to phishing, either real or simulated. So as an industry we don’t appear to know the answers, but we definitely need to find them before the attorneys and courts figure it out for us.
Did you talk with your HR and legal teams before implementing a simulated phishing campaign? How did you deal with these risks?