I’m often asked which employees are most likely to be targeted by phishing emails. It’s interesting to think about, but the truth is that adversaries will target whichever employees can offer access to the enterprise’s network—and that could potentially be anyone in your organization. Recent research from ProofPoint confirmed this, finding that staff-level employees were targeted by phishing attacks more often than middle and executive management.
The takeaway here is that for security awareness to be effective, it needs to include everyone in your organization. Aside from the obvious security necessity, including the entire organization in your security awareness initiatives enhances your program in a number of ways.
First and foremost, inclusion of everyone in security awareness training reduces the security gaps across organization. While training will never be 100% effective, the more people who receive training, the more potential security risks will be reduced.
“Training staff-level employees truly makes security awareness part of your organization’s culture.”
Including executives and senior managers in training exercises creates solidarity within the workforce, as staff will be more likely to embrace the exercise knowing their bosses are participating. Training staff-level employees truly makes security awareness part of your organization’s culture, and helps each employee understand that everyone—not just the IT department—has a responsibility for IT security. If you’re collecting metrics with your campaigns (you should be), including everyone will provide a broader baseline of your user population’s susceptibility and pinpoint strengths and weaknesses in your security posture.
Throughout this blog series, we’ve offered advice for how to maximize your security awareness efforts, however, following much of that advice without also being inclusive could derail your program.
Running an immersive security awareness campaign (such as simulated phishing exercises) requires buy-in from every department in the organization. We have personally seen the pitfalls of running internal phishing campaigns without informing the organization. It’s critical to work with every department to prepare them for any backlash that might occur. Since you’ll be simulating an attack, it’s essential to alert IT as well to avoid triggering response to a simulated event. While involving HR and IT is obvious, it’s important to inform every department in the organization, as simulated attacks can also affect departments, such as the mail room and finance. We’ve seen internal phishing campaigns that employ a bogus package tracking notice disrupt the mail room when recipients flooded the mail room with inquiries about the notice. Disrupting the normal operations of a department will alienate that department and waste organizational resources, so make sure everyone is aware and on-board with a campaign before executing it!
We recommend communicating details about your security awareness efforts to the entire organization, a practice that many security pros resist.
“It’s critical to work with every department to prepare them for any backlash that might occur.”
While it may seem counterproductive to inform people of a simulated scenario, doing so ensures that all who could possibly be affected by the campaign are aware and have the opportunity to bring their concerns to you before executing the campaign. While you don’t need to communicate every single scenario you run, making sure all members of your organization know that simulated attacks are part of your routine is important. An open, inclusive program creates less acrimony at all levels of the organization, as announcing a campaign firmly establishes it as a training exercise. Employees who may feel tricked or targeted by the exercise can be pointed to the announcement as evidence that the security department is not trying to embarrass employees.
Doesn’t informing employees that we’ll be sending them phishing emails undermine the entire purpose? Provided that your purpose is to educate your workforce and improve response to external attacks, it will not undermine your purpose at all. Even if employees are aware that you’ll be conducting a simulated phishing attack, they still have to recognize the email when it arrives in their inboxes. Given that part of the messaging of your awareness training should be that employees need to be on alert for phishing emails at all times, if announcing a campaign prior to sending it succeeds in getting employees to avoid interacting with the email, then it has been a success all around.
From an academic standpoint, it might be interesting to debate which employees are most likely to be targeted by and fall for phishing attacks, but from a CISO’s perspective it’s not a debate worth having. Training everyone not only ensures you cover all the potential gaps; it makes your program a valuable contributor to the organization’s overall security and risk management efforts.