Protecting the Energy Grid from Phishing Attacks Using Cofense

Prompted by the increasing regulations and a recent scare, the company formed a dedicated security team to handle physical and cyber security, reporting directly to the CEO with a key responsibility around educating users about cyber safety. A comprehensive risk assessment conducted at the time showed “phishing is a real and present danger” for the company, so the organization needed an anti-phishing solution that could both educate users and help prevent phishing attempts. “Employee awareness and training became a major plank in our security platform,” according to the cyber security manager. 

Solutions

Choosing Cofense PhishMe

An anti-phishing solution had to meet several criteria – ease of use, good value, compatibility with other systems, and actionable data delivery. After evaluating a handful of solutions, the company decided to conduct a limited proof of concept of Cofense PhishMe. The results sold the energy company on Cofense PhishMe. 

A cloud-based SaaS immersive learning platform, Cofense PhishMe works easily with all major web browsers. It instructs users on the dangers of phishing through periodic simulations. Users must decide if suspected phishes are legitimate or report them as suspicious. “Because we are a global company, we looked for a phishing platform that was extensible. Cofense PhishMe fit that bill because of its worldwide presence and multi-language capabilities,” the cyber security manager says.

Business Results

Initial Reluctance 

The organization’s management originally pushed back on the idea of simulations. “People were concerned about our employees’ perceptions of ethical phishing – that perhaps we were trying to entrap them and be punitive,” the manager recalls.  

“We had to win the hearts and minds of our executive team, so we showed them the amount of phishing and spear phishing emails that were getting into our system. And we emphasized the risk these phishing emails posed to the company, and we got them to agree to a pilot program.” 

The Corporate Security team also agreed its phishing simulations would cover everyone, from the CEO to the mailroom clerk, and there would be no punishment for employees dubbed “frequent fliers” – those who continually fail the tests.  

But what really sealed the deal was a real spear phishing email sent to the CFO, allegedly from their CEO, requesting a money wire transfer. “Our CFO had been trained by being exposed to our simulation scenarios. The email didn’t feel right to him, so he reported it to our cybersecurity team. That was concrete proof of the value of our ethical phishing program.” 

Simulation Program Success   

The energy company launched its simulation program on a small scale by targeting company executives and their assistants. Over an eight-month period, they expanded it to include HR, customer service, legal, corporate security and finance personnel. Each time, the phishing team shared results and susceptibility levels with management. It soon became clear departments that had already experienced phishing simulations had lower susceptibility rates. This proved that training and simulations work. 

As simulations continued, department heads became invested in the program, even treating it as a competition. Our chief legal counsel, whose staff had scored particularly high, the manager says, “sat everybody down, put them through extra training and really emphasized the importance of understanding the effects of a potential phishing attack. Ever since that meeting, his group has consistently scored among the lowest susceptibility rates in the company.” 

Each Cofense PhishMe test generates lots of useful data. The cyber security manager leverages it to identify which departments might need some extra attention. “We use these data to help us plot out our itinerary for one-on-one meetings, so I can say, ‘Let’s start with the 10 facilities that have higher-than-average susceptibility to phishing, and go from there,” notes the manager. 

“Using more of the available data has helped increase the return on our phishing investment. When I can show that nearly 400 employees downloaded a suspicious attachment in one hour, it really raises eyebrows,” the manager says. “Cofense PhishMe provides us with so much data that if you really dig into them and do a thoughtful analysis, they can be very useful.”  

Since leveraging Cofense, the energy company has seen employee susceptibility trends decline. 

Future Efforts 

Management reluctance is no longer a problem, and the manager recalls company executives are very strong supporters and are on board for implementing Cofense Reporter® across the enterprise. “Reporter will provide a very easy and well-defined process our employees can use to report suspicious emails.” Our current reporting process isn’t as well-known and therefore isn’t as well-used as it should be, he says. 

“Deploying Cofense Reporter will give us the chance to reach out to all of our employees, reiterate the dangers of spear phishing, teach them how easy it is to report suspicious emails, and encourage them to do it – often.” Cofense Reporter also should help improve their visibility into the phishing threat landscape considerably, allowing IR teams to respond quickly should a large-scale attack take place. 

The energy company also has been developing its cyber security awareness training – using Cofense CBFree – to reduce the susceptibility of its “frequent fliers.” As the Company continues to develop its training curriculum, the Cofense Team has promptly provided whatever help needed. “I’ve been very impressed with the expertise, the cooperation and rapid assistance we get from the Cofense team,” notes the cyber security manager.