No single security solution can protect your organization 100% of the time, but a multi-layered approach with your employees as the first line of defense is a good place to start.

Dark Reading Staff, Dark Reading

November 26, 2018

5 Min Read

Where do you start as a chief information security officer to drive the end user behavior change you require, raise security awareness effectively and meet your compliance obligations? The key is to reinforce the right behavior while making the wrong behavior a learning opportunity with just-in-time awareness and reinforcement tools.

A good place to begin is by creating a set of common-sense guidelines for your employees to follow. Next you need to build a comprehensive program including phishing simulations and security awareness training.

Simulation Basics: Look Real, Feel Real
Your simulation campaigns should deliver email messages that look and feel just like the ones your end-users receive. They should appear to originate from inside and outside your organization from both known and unknown sources. Tagging all external email that arrives to your users’ inbox as [External Message] is a great way to warn your users, but this will not help against someone who is spoofing an external partner or has compromised an internal account and is using it to further their attack.

Your end-users have phones, tablets and social media accounts, so they need to be made aware of the dangers these devices pose to their personal information as well as the organization. Reporting will enable you, in real-time, to see how well your end-users are catching and reporting phishing attempts, and will highlight areas that need more education, It will also allow you to adjust the simulation to align them with real world phishing attempts that are becoming even more sophisticated over time.

Learning from Mistakes
Everyone makes mistakes, so why shouldn’t users learn from errors they make without causing a major breach in the process? By deploying phishing simulations, your end users can become phishing detection specialists, who regularly report suspected malicious links, documents, SMS messages and social media posts before someone clicks on the wrong link and the security team gets that dreaded phone call. Soon, your end-users will start to apply what they learn and these actions will become automatic, for example:

  • Protecting against identity theft by not using the same password for every app on their smartphone, including corporate email

  • Understanding that the largest target for hackers is valid credentials

  • Applying the “clean desk principle” by removing the post-it notes with logins & passwords from under the keyboard.

  • Protecting your organization’s intellectual property, the same way they protect their payment card data.

  • Recognizing social engineering and enforcing access control and physical security to prevent folks piggybacking their way into your organization by demanding that strangers provide their pass card and ID

  • Fully understanding your organization’s information classification polices and how they should manage the information lifecycle.

  • Thinking of privacy first and practicing confidentiality on the web.

  • Turning them into mobile users that travel securely.

Managing the Executive Team
As a CISO, one of your many roles is about influencing, stakeholder management, positioning, and communication. You must walk that fine line of getting the board to think like you do. When you succeed, they release the funds and resources required for the security solutions you need. Most importantly, you need to ensure that the C-suite sees the benefit in what you are proposing.

During your quarterly executive meetings, you will need clear and concise reporting to accurately provide your board with the latest condition of your largest attack surface, your users. You will also be able to show them continuing improvement over time, because phishing awareness, and continued testing is now a crucial part of your investment in securing your business.

Building the Program

  1. When building a phishing simulation program consider the following eight steps:

  2. Clearly define the strategy, including the simulation objectives, lines of communication and response.

  3. Delineate frequent and sophisticated scenarios for users with escalated privileges or roles within your organization (e.g. IT administrators, finance).

  4. Make it clear to all stakeholders who and when will be notified of a phishing test.

  5. Vary the messages sent during a single simulation to reduce the chances that users will share the exercise with their peers.

  6. Perform a validation and clean-up of email addresses before proceeding with the simulation.

  7. Determine what the response of the security team should be for users who detect phishing and report it as real,

  8. After a simulation, report the results to management and users.

  9. We do not recommend sanctions for users who fail the initial tests. Take the time to teach them to recognize phishing and what they should do.

No single security solution can protect your organization 100% of the time, but if you leverage a multi-layered approach with your employees as your first line of defense and arm them with the confidence and the ability to easily detect phishing attempts, you will greatly reduce your largest attack surface – your users.

Read more about Terranova’s phishing simulation

About the Author
Theo Zafirakos, CISSP, Terranova CISO Coach, is a skilled professional experienced in the domain of information and cybersecurity. He is able to communicate well with all levels including C-suite, senior management, and technical staff, in identifying, evaluating, and managing information security risks in a manner that meets internal and regulatory requirements. He can provide subject matter expertise and thought leadership in all areas of information security for the creation and management of strategy, programs, governance, information risks, and compliance. Zafirakos is highly organized, analytical and motivated in resolving challenges and conflicts. He is responsible for all areas of information security for creation and management of strategy, programs, governance, information risk assessments, and compliance for Terranova and leads Terranova’s Professional Services team that helps clients implement and execute information security awareness programs with measurable results. 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights