What Can Go Wrong? When Employees Push Back Against Phishing Simulations
Phishing prevention employee training is regarded as a must-have security control by most security consultancies, and many organizations are already training employees to recognize phishing attacks by using phishing simulations. When done in the right way, data shows that this training can dramatically change employee behavior and reduce the risk of falling prey to phishing and the resulting security breaches.
However, before organizations start sending phishing simulations to their employees, they should understand the potential pitfalls: what can go wrong, what is the effect of a poorly implemented phishing training program, and how can it be avoided.
The press reporting on the case of ABN Amro can give us a clue. ABN Amro is a global banking organisation that, like many financial organizations, has a good reason to be concerned about phishing attacks and takes a proactive approach to avoid it. With 17,000 employees in it’s Dutch retail and commercial banking operation it invests significant internal resources in preparing employees and being ready for the next attack.
In December 2017, a phishing simulation was sent to the bank’s employees. It was supposedly about a Christmas present, rewarding their excellent performance. This was a well targeted and believable attack, typical of a sophisticated “spear phishing” campaign. Many employees “clicked the link” and were surprised to find out that it was a training simulation.
However, Amro didn’t anticipate the tsunami of adverse reactions and emotions they received from their employees. It created an internal trust issue crisis which rolled out to the press. Margot van Kempen, the chairman of the council of employees, said bluntly, “This is very annoying for people who feel offended by it.” This was definitely not the outcome that the security managers of ABN Amro wished for.
However, insult isn’t the only emotion that poorly implemented phishing simulation practices can lead to. Some employees can also actively sabotage training efforts by publishing the phishing email on the company’s internal communication channels or on Facebook to forewarn colleagues, who then do not “click the link.” This may be a positive collegial reaction, but it is also one that will hurt the training efforts and therefore put the company at risk.
So how can the training process be managed to avoid negative organizational “noise”, and can we deliver a security training program that creates a positive buzz and true engagement from employees?
We claim it is possible if you play fair. What is the baseline for security training “Fair Play”?
1. Communicate first, before starting the campaigns.
Be open and transparent with your employees about the phishing training process and make sure not to misuse their trust.
Employees do not want to put the company at risk. When employees are told at the beginning of the training process about the objectives of the training, what they are expected to do during the practice, and what they should do in case they find it offensive, they are engaged in a way that promotes good buzz in the organization.
2. A continuous approach aims at a habitual change, not occasional screening
When you are doing a “phishing test” 2-3 times a year, people might be more aware of phishing, but it will not allow them to train in a way that will change their reactions in real-time and their behavior. That is the difference between sporadic training, which can only improve attitude and awareness in general, and continuous training. Habituation is the objective of continuous training: expose employees to many dynamic variations of phishing attacks in real-time simulation so they will gain experience and confidence in their new behavior.
3. Teach, don’t punish
Fair play means that we have a mutual goal together, keeping the organization safe. Punishments are “rules breakers,” and generate a negative attitude. But what shall you do with your employees that keep on clicking?
In the continuous training approach, data shows that even “serial clickers” change their behavior along time, and therefore punishments are not needed. They are only breaking the “fair play” agreement.
We hear from our customers’ many stories how continuous Phishing training helped them to transform their organizational security culture for the better, that we know it is possible.
Fair Play is the ground floor for trust between your security team and your employees.