A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce. Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.
1. Be careful about data collection and discipline
Think about the data that you gather about employee performance on simulated phishing. It can be easy to overlook the implications of maintaining and using this data. I look at it through the lens of its privacy risks. This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences. How long will the data be kept? What will be done with it? How securely will it be kept? What if it were compromised and publicized online?
What should the consequences of falling for the fake phishing be? A DHS official recently stated: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government. . . . You have clearly demonstrated that you are not responsible enough to responsibly handle that information.” This isn’t currently the policy — just a viewpoint. But it raises the question: Should employees who repeatedly fail simulated phishing exercises be punished?
Punishing people is fraught with danger. Certain types of phishing emails might trick people of certain genders, races, religions, or job responsibilities differently. An email might have a link to a website with items more of interest to men or women. An email about particular stores or businesses might be more enticing to wealthy or less wealthy people. Certain emails might have a better fit with people with certain job responsibilities. It is quite difficult to anticipate and avoid any potential demographic skewing from a simulated phishing email. People who are punished might thus object that they were unfairly targeted by a certain email — and this might open up claims of discrimination, lawsuits, negative publicity, and a Pandora’s box of legal and PR woes.
Simulated phishing works very effectively as an awareness tool. When used in a punitive fashion, it can start to create problems and diminished morale. It can make employees view IT Security as being out to get people. The relationship between IT Security and the workforce should not become antagonistic. Security is best protected when there is a cooperative relationship between IT Security and the workforce.
Moreover, the data about the simulated phishing might be sought after by lawyers in a class action for a data breach involving phishing. If a person failed phishing simulations multiple times then is the one who clicks on the real phishing email that led to the breach, an organization might look bad when the simulated phishing data is revealed.
And what if the data were improperly accessed or leaked? Employees who failed might claim that they were harmed by such disclosure. Again, lawsuits, bad PR, and the Pandora’s box.
The takeaway from all this is not to avoid simulated phishing, but to think hard about the data collected and the privacy considerations. There are tradeoffs, and I am not opining on what the best balance is — but I emphatically recommend that an organization think deeply about these issues. I thus recommend that IT Security consult with the privacy team before implementing simulated phishing.
2. Follow up phishing exercises with awareness training
Without awareness training, simulating phishing is little more than a game of gotcha. Phishing exercises should be followed up with training about phishing to reinforce the message and teach employees about the importance of reporting suspicious emails or calls.
As Dan Lohrmann aptly writes: “Sadly some organizations that phish their own staff still do a poor job of security awareness training with their employees. They fail to show staff, in detail, what they should and should not be doing regarding phishing and other online security topics.”
The good employee knows when to spot something suspicious and not to click on anything or provide information to a fraudster on the phone. A great employee knows to report these things to IT Security. Suspicious calls or emails might be sent only selectively to a few employees, and IT Security might not be aware. IT Security can warn other employees. Or look for troubling trends such as an increase in phishing attempts. Employees are IT Security’s eyes and ears, and they can help out a lot.
Thus, it is important not only to train employees on what they shouldn’t do (fall for phishing scams), but also what they should do (report).
3. Security awareness extends beyond phishing
Phishing is only one security threat. There are many others, including forms of social engineering such as baiting (leaving around devices that people put into their computers out of curiosity) or tailgaiting (sneaking behind a person into a building; asking to borrow devices, etc.). Another threat involving human error is placing data on portable devices which are then lost or stolen. Downloading software or files is also a risk and can result in malware. Bad passwords — or passwords poorly stored — is yet another risk. So don’t put all security awareness resources into phishing, because it is just one of many risks.
Simulated phishing can be quite a useful awareness tool as part of an overall security awareness program. But it must be implemented thoughtfully and carefully — and combined with awareness training to be most effective.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.