The Value of Simulated Phishing: Guidance For Doing So
By Caroline Gilchrist, writer, Skyward, Inc.
The sun has set on summer. But as an orange autumn moon rises to take its place, the waters of cyberspace only become more congested. Phishing, turns out, is always in season.
Want to give it a try?
I know—you’re one of the good guys, so why would you want to go phishing? The reason is simple: to prevent employees from being hooked down the line. Simulated phishing is a sort of catch-and-release method that can be an extremely valuable asset for IT leaders. Not only do simulated attacks remind employees to be ever vigilant while going through their inboxes, but they also give IT leaders a better idea of whether employees can effectively identify phishing attacks, or if they need additional training.
So, pull on your cap and waders. We’re going phishing!
Before you let your line fly, it’s essential that you fully formulate your plan and discuss it with the leadership at your district. How often will you send out simulated attacks? What program will you use? How will you prepare your employees?
Don’t neglect that last one; making sure employees are up for the challenge is an important part of the process. After all, how can you expect them to identify phishing emails if they don’t know what to look for? Employees can learn to recognize and evade threats through online cybersecurity training programs. (This article gives a nice overview of several programs, including KnowBe4—our favorite.) Some of these programs include simulated phishing as well; no need to phish through a separate organization!
If you haven’t already, set up an easy way for employees to report phishing, ideally both to your email provider and your IT team. If your district’s email platform doesn’t have a simple way to report to the IT team, you can set up an inbox for employees to forward suspicious messages to (for example, firstname.lastname@example.org).
It’s best to keep your plan to simulate phishing under wraps in the beginning. An unannounced baseline test is a helpful way to truly gauge susceptibility to attacks. However, after your first simulation, explain the phishing drill to everyone! Open communication is vital to maintaining trust between leaders and those they lead.
Phishing simulations should be sent periodically, about one to three times per quarter. The attacks should be fairly obvious at first, with easily identifiable red flags, and become progressively more convincing. Over the course of the program, be sure to imitate different phishing methods and social engineering techniques. Hackers are tricky; you should be too!
If you’re planning to impersonate real people at your district (a smart idea—it’s called spear phishing), let them know first. Sure, this kind of advanced notice may diverge from real-life phishing, but our only goal here is to simulate the attack itself—not the confusion that so often follows.
Finally, don’t let your big fish off the hook! Superintendents, principals—all your top administrative personnel should be included in these simulated attacks too, as they are often the most likely to be targeted by hackers.
Reel ‘em in
Now it’s time to see who took the bait. After each simulation, gather the data and look at these three important metrics:
- How many people clicked the link
- How many people provided sensitive information such as a password
- How many people reported the email as phishing
As you send out more simulated attacks over time, it will be useful to compare these statistics to determine if employees’ phishing-identification skills are improving.
Next, share the results with your district! Sending an email that lays out the aggregate data will not only keep employees informed but also engaged in your district’s security initiative. In addition to the district-wide email, consider unveiling results on a more individualized basis. Congratulate those who have correctly identified the phishing emails; you could even consider entering them into a drawing to win a prize! On the flip side, gently inform individuals who fell for the simulation that they’ve been duped, and remind them that they can send fishy emails your way for your opinion on their legitimacy. If these employees continue to struggle, provide them with extra training.
In these turbulent times, you might feel you have bigger fish to fry than going undercover as a hacker—but the thing is, this is the big one. It just takes one simple click to wreak havoc in your district. But through training and simulated phishing attacks, you have the power to teach employees to turn their noses at that tasty-looking bait and become the one that got away.