Phishing continues to be the most popular route for cyber criminals, and was number one on the Top 10 Common Threat Techniques list in the (ISC) 2Global Information Workforce Study .
Given that anyone can fall victim to a phishing attack, in each organisation there is a need to raise awareness and do more on education. This should take place not just incyber security and risk teams, but more importantly across the entire employee base.
Educating people on what to look out for in phishing emails is always going to be difficult, particularly in the case of increasingly sophisticated spear phishing attacks. To add to that, the busy rhythms we all work imply there’s often little time to think while reacting to an already packed mailbox. An employee might think, “So what if I click on this link?” or “M y IT/security department should be able to protect me if I open this attachment from an unknown source. ”
As a result, employees are often unaware of the consequences to their actions. The simplest way of breaking out of this mindset and educating people is by gamifying the process of falling victim to a phishing attack.
A good analogy is to compare an organisation to the human body’s immune system. To become immune to a disease, it has to be vaccinated. This involves introducing the body, or in this case the organisation, to small, weak doses of the disease so it knows what it ’ s looking for.
This YouTube video explains howTwitter implemented this concept very well.
In this analogy, the vaccine is telling people not to click on strange links. If they don’t know whether they should click or not, they should ask their colleagues, who might be able to help.
When new employees who are not “ vaccinated ” join the organisation, it needs a “booster shot”. This is where gamification comes in.
The security team at Twitter actively runs spear phishing campaigns with a number of different attacks to test employees on what they are susceptible to. These are different to awareness programmes, as they are trying to trick staff into falling for it.
We are teaching our employees how to better deal with phishing attacks by gamifying them and encouraging a discussionYiannis Pavlosoglou, (ISC)2
The aim, however, is that over time they learn the security culture of the organisation and what to flag to the security team. The business becomes safer as a result.
The security team maintains a feedback loop with new employees, monitoring if they click links or are familiarising themselves with what phishing attacks look like. After these campaigns, the security team concisely explains what employees fell for, what they did well on, and how they are protecting the organisation.
In essence, we are teaching employees in our organisations how to better deal with phishing attacks by gamifying them and encouraging a discussion.
Yiannis Pavlosoglou chair of EMEA advisory council at (ISC) 2 and strategic change manager for operational resilience at UBS.