— Security Awareness Manager, Global Retailer
Last year, we realized it was time to create a security awareness program. And we were starting from square one—for example, we hadn’t run phishing simulations or educated employees on email scams. What’s more, I’m the only full-time person in my department, plus I also manage our identity and access management program. My plate is pretty full.
We worked with Cofense Professional Services to design and build out the program. Their support has really been great.
As we prepared to launch our program in October 2018, we worked closely with the team in Cofense Professional Services. Kyle, our Cofense analyst, has been a huge help. We meet every Monday to go through the metrics—click rates and user reporting—and refine our road map for simulations using Cofense PhishMeTM. He helps me plan and schedule our monthly scenarios, which go to all users, along with choosing the right mix of basic and harder phish.
In the first few simulations, phishing susceptibility was over 30 percent. But in a way, that was ok. Besides not being unusual for the first few tries, it highlighted the need for improvement. We even had a little fun with it, acknowledging that we had a long way to go. Getting people to rally around the need to perform better helped the program gain traction.
We’ve gone from over 30 percent susceptibility to under 15 percent. And our reporting rate has been over 30 percent since we deployed Cofense ReporterTM.
Making users aware of phishing was only the first step. We’ve also worked hard to keep them engaged. For instance, I’ve created a series of memes based on movies and TV shows.
Personally, I think it’s important to avoid making security awareness seem daunting. When employees see a message about security, their reaction is often, “Uh oh.” But it’s supposed to be a learning opportunity and they’re not going to learn if they’re scared. Or if they tune out the program because it isn’t compelling.
In addition to the memes, I’ve used digital posters in break rooms to communicate with users. I list the top-performing departments and employees—who’s crushing it this month? Is HR doing better than finance? Gamifying the program has made it a bit more fun. It’s one of the best practices the Professional Services team suggested.
I also want employees to know they’re not being penalized when they click on a simulation. We’re not looking to penalize, we’re trying to change behavior. However, we do require users to take extra training after the third time they fall susceptible. As soon as we adopted this policy, the click rate dropped sharply.
With a 1 to 1 ratio of susceptibility to reporting, we’re off to a solid start. In year two, we’ll build on that.
Looking ahead, I want to communicate even more with employees. Recently, we’ve been using the digital posters to show examples of real phish our SOC has stopped—and give shout-outs to the employees who reported them.
One year into the program, we’re at a good point to analyze what we’ve been doing right and what we need to improve. Looking back, users have performed well against credential phishing scenarios. That’s good news, since the SOC sees a lot of those. On the other hand, we ran a DocuSign phish that users fell for big-time. Our people use DocuSign all the time—it’s a tool they’re familiar with and trust, so they need to be more watchful. In fact, we sent a follow-up DocuSign phish to give folks another chance to show the right behavior.
There are plenty of other phishing tactics to educate users on. I’m looking forward to finding more and better ways to make that happen.