cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JK1
Viewer II

Phishing testing - Consequences of failure

Dear Community,

 

We have made use of internal quarterly phishing testing for the past 4 years and have an escalation path for failure that follows:

 

Fail 1: Informal talk from line manager and/or Security and retake phishing course > Fail 2: Formal talk from line manger and retake course > Fail 3: First written warning > Fail 4: Final warning > Fail 5: Potential for dismissal.

 

In discussions with HR they wish to only consider the tests from the past year rather than the whole history. This would mean either ramping up the number of tests or changing the escalation process.

 

I was wondering how others approach internal phishing tests and consequences? Do you consider tests over a year old? If not how many tests do you run and what is the escalation process?

 

 

18 Replies
tmekelburg1
Community Champion

The old carrot vs. the stick question...

We setup initial security awareness training for new hires before we allow full access to network resources. If they don't pass they don't get access, easy enough. They can take it as many times as they would like, it's not a fail once and done scenario. Current staff are enrolled into two KnowBe4 interactive video training that take part in the first half and second half of the year. On top of that we send out phishing test emails two times a week. The first time they click on a link or open an email attachment on a test email it gives them a warning and lets them know what they did wrong. The second time they do it, we have them enrolled into remedial smaller 15 minute courses, typically around four extra courses. We've never had anyone get to this point btw. If it did we would cut off access to our client records platform because they are a risk to the company we can't allow.

Security has been built into our culture and that's why we don't typically have any issues. I even tell staff to email us suspicious emails if they have any questions of legitimacy at all. I know it's not advised but I want staff to feel comfortable communicating with us when they have any questions at all. If it's a legitimate email, I tell them so and thank them for being proactive.

Long story short, we use the data from when they first start and until they leave. If we re-hire them, I just pull them out of the archive and keep building on the data we already have of them. Their supervisors are notified upon first enrollment into the program, training they need to take/finish, and any outstanding training needed. I hope this helps, whatever you decide to do make sure this gets into a written policy and approved. Then just always fall back to policy.
CraginS
Defender I


@JK1 wrote:

...

I was wondering how others approach internal phishing tests and consequences? Do you consider tests over a year old? If not how many tests do you run and what is the escalation process?


Joseph,

Dr. M. Eric Johnson, Vanderbilt U.,  along with one of my former colleagues Dr. Deanna Caputo, MITRE,  have been researching this very issue for years. (I  was an unwitting participant in one of their research tests Deanna conducted internally in our company some years ago.) Much of their work looks at using the failures as points to introduce the training, rather than punishment. I recommend you search out their publications for more  detail on what they find works and what doesn't.

You can watch Dr. Johnson's 2011 keynote address to the ISSA International Conference in Baltimore, Human Behavior – The Weakest Link? at

https://www.members.issa.org/page/2011ConferenceRecord?PrivacyNotice

where I first learned of his research (and figured out that Deanna had used me in one of their experiments)

 

To get you started on their recent work, look at

Spear phishing in a barrel: Insights from a targeted phishing campaign
Article (PDF Available) in Journal of Organizational Computing and Electronic Commerce 29(1):24-39 · January 2019 

The actual journal source is here, but tat that site you have to pay $51 USD for the paper. the Researchgate link above has it for free.

 

Here are a few more potentially informative links:

Point-Of-Failure Phishing Training Does Not Work

Going Spear Phishing: Exploring Embedded Training and Awareness Jan.-Feb. 2014, pp. 28-38, vol. 12

 

I recommend a web search on ["m. eric johnson" "deanna caputo" phishing] to find more journal articles and interviews with them on the subject. 

 

For those who run into horrid paywalls for individual papers in professional journals, be sure to search researchgate.net and academia.edu, where authors often post their works for free. Also, write the authors directly to request copies. Most are happy to send out PDFs for free, to get the exposure.

 

Next, a suggestion of my own:

Do not even think about using the punishment route you have outlined until you have in writing a statement from the President, CEO, or Board Chair, approved for broad dissemination in the organization,  stating that the policy and consequences applies to all employees, including senior managers, vice presidents, and all direct reports to that top official.

 

Good luck . You have taken on a tough problem.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
tmekelburg1
Community Champion

Next, a suggestion of my own:

"Do not even think about using the punishment route you have outlined until you have in writing a statement from the President, CEO, or Board Chair, approved for broad dissemination in the organization, stating that the policy and consequences applies to all employees, including senior managers, vice presidents, and all direct reports to that top official."

He should follow whatever his company's process is when drafting, approving, and disseminating new/updated policy but good point on not doing anything until it's officially in policy and communicated out. Thanks for the resources as well!
dcontesti
Community Champion

So it seems (MHOO) that HR has not bought into Security or the risks.  Each organization is different and depending where HR resides you might have different routes to take.

 

I agree with you that there should be a history kept (and HR records are the best place to keep them).  I disagree with the HR department that only keeping the information for a year is wrong.  I am a firm believe that these types of infractions should become part of the employees permanent file.

 

HR is probably of the mindset that the tests are not real so no damage was done.

 

Do you have a specific awareness program for senior management?  If not, this is a good place to start.  I would use real world stats on things like phishing, virus, ransomware.  Once you have buy in at the most senior levels then your plan will work....otherwise its your dept vs their dept.

 

my two cents

 

d

 

Steve-Wilme
Advocate II

As CraginS says consequences of failure isn't a good way to look at this.  Opportunity for improvement and awareness raising in the event of 'near miss' events should work better as a mindset than seeing this as an employee failure.  Even CEOs and senior officers can be duped by fraudsters and believe me that's going to be a very difficult conversation series of conversations with employment lawyers if you employ a different policy for senior staff and the rank and file.  You really have to do what works.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CraginS
Defender I


@Steve-Wilme wrote:

...  Even CEOs and senior officers can be duped by fraudsters and believe me that's going to be a very difficult conversation series of conversations with employment lawyers if you employ a different policy for senior staff and the rank and file.  ...

 


There is a reason we have the three-level names of phishing, spear phishing, and whaling. Your publicly known seniors are at the highest risk for whaling attacks, yet many organizations allow a culture at the C-suite of "do as I say, not as I do." Once word gets out that a senior who violated policy got a free pass for an infraction that would have been serious reprisal for a worker bee, your program is shot to hell.

Both to fight the culture of allowances for seniors and to hit home on the dangers of whaling, Diana @dcontesti is right, it is essential that you have a custom awareness program for senior staff, and make sure NO ONE is allowed to skip it.

 

Again, good luck,

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
JK1
Viewer II

Thank you all for the responses and for the resources, there is lots of food for thought to take away. I feel one thing that I didn't get across is that the thinking behind this is really that disciplinary is a last resort and we would much rather focus on awareness and training.

 

We are attempting to foster a culture of security that encompasses everyone from the top down and C-suite focused awareness is something I think would definitely be of benefit.

 

Joe

dcontesti
Community Champion

Actually one thing that I should mention:

 

If staff know you test quarterly, they will become accustom to it and (I like to say) become numb to them.  This becomes essentially true when there are no teeth/ penalty for faiture.

 

I fully understand the rationale behind them but they can also have a downside.

 

MHOO

 

d

 

tmekelburg1
Community Champion

To drive the conversation, anyone have any personal experience stories about setting up their SATE program?
Positives and negatives they experienced?
Lessons learned we can all benefit from?
You notice a considerable difference when tailoring the program to specific job roles?