— Security Awareness Manager, Global Manufacturing Company
I’ve managed our company’s security awareness program for three years now. We launched it after a handful of successful spear phishing attacks, realizing that we needed to do a better job of educating users.
We wanted a solution to help them spot suspicious emails, one with strong metrics to help track progress. That’s why started using Cofense PhishMe and Reporter.
We now send monthly simulations to over 60,000 users. Our reporting rate is often around 30%.
We use PhishMe to run monthly simulations with our global users, all 60,000 of them. The first year of the program our click rate was up around 25 percent. Now we’re under 10 percent, so it’s definitely making a difference. In fact, we used to say that a click rate of 10 percent was good, but now we shoot for eight percent.
I get a lot of positive feedback from people in different departments. They’re interested in the metrics: how is my team doing compared to other teams? For example, our legal department used to be dead last, but after working with me to educate their team their performance has really improved.
The companywide results have been mostly good. In April of 2019 we did a Package Delivery scenario, which got a click rate of only 6 percent and reporting rate of 29.6. In July, we ran a Quarantine Email phish where 7.21 percent failed, with reporting just under 23 percent.
I do a quarterly newsletter where I stress the importance of reporting suspected phish. We call it out prominently: ‘When in doubt, report!’ We want people to know that if they don’t report, the SOC won’t know about a possible phishing threat.
There are so many ways to tell people what to look for in emails. The best way is to help them through iteration.
When users get simulations each month, they get more chances to practice. When they practice smart behavior, including reporting suspicious messages, they’re going to be more on top of phishing. I do presentations to departments and have a slide showing the Reporter button: ‘Hey folks, here’s what it looks like, it’s easy. Please use it!’
Our SOC tells us that user reporting definitely gives them better visibility to threats. The SOC now has Cofense Triage to sort through reported emails faster, filtering out the harmless ones—like my employee awareness newsletter!—from real phishing threats. They love it. They get thousands of email reports every single day, so Triage saves them a ton of time. The team no longer has to guess about the true nature of an email.
The SOC has blocked a lot of emails that users reported and Triage verified.
Our incident responders see all types of phishing emails, especially credential phish. Recently, there’s been a huge increase in sextortion emails, where the sender uses information from accounts that were compromised in breaches like the LinkedIn hack, to scare the recipient into making a payment. The SOC has also been seeing a rise in file-sharing malware as well, with emails containing links to box.com, SharePoint, We Transfer, and the like.
Talking to the SOC is an important part of our awareness. I’m working on creating a process to get this information as a matter of course, so if something is a big concern we can work it into our simulations.
Besides communicating with incident responders, my advice to anyone launching a program is to get buy-in from senior leadership. Educate up and communicate up. Otherwise, you won’t be able to sustain your awareness efforts. My VP wants to see our results and report them to the board.
They’re all in. They believe in the program. There’s now an appreciation for the role people can play in stopping attacks.