About a week prior to my presentation, the 100 prospective attendees received an email from me. In that email, I asked that the recipients review a slide for my upcoming presentation by clicking on an embedded link which routed them to a site that looked like Google Docs. At that site, they were asked to supply their email again. On the day before my presentation, I received no fewer than 12 phone calls from people who wanted to help and had tried unsuccessfully to review the slide after repeatedly clicking on the link.How would you feel if you found out 57 percent of your organization clicked on the link from a phishing email simulation? I pondered this question in the aftermath of the results of a phishing simulation I recently conducted. It involved a group of about 100 people who were prospective attendees at a local chamber of commerce event where I would be presenting. After considering the circumstances, I concluded two things: (1) the manner in which we conducted the phishing simulation made clear why this type of attack is so successful; and (2) this event presents an opportunity for in-house counsel to educate the C-suite and the organization about cybersecurity as a strategic enterprise business risk.
About 10 minutes into my presentation the following day, I asked the audience if they might have received a phishing email in the last few days. As the question hung in the air, I saw some sheepish looks as many realized where I was taking the conversation. The results of the simulation got everyone’s attention: 76 percent opened the email; 57 percent clicked on the link; and 37 percent repeatedly tried to submit credentials, which could not be accepted.
Why was this simulation so successful? It used social engineering to take advantage of trust and people’s desire to help when asked. In my case, the email came from the speaker and had a seemingly innocent request. In fact, the email sought to take advantage of people’s trust that an email from the speaker must be legitimate. If you take a close look at the email, however, my email address was intentionally misspelled, as it used two L’s in “Donelson.” The simulation also leveraged the fact that most people want to help when asked.
The sobering reality is that, had this been a real phishing email, clicking on the link would have created the opportunity to inject malware into the system. This data emphasizes that the weakest link in good corporate cyber hygiene is us! The most common type of phishing attack I see these days goes something like this: A seemingly legitimate email from the CEO/CFO/controller requests that a payment be wired somewhere. The recipient assumes the legitimacy of this email and sends the wire. The attacks are now so sophisticated that the hackers read the executive’s hacked emails so they can write the fake email and make it appear very “authentic.”
While a phishing simulation can reveal serious vulnerabilities, it also creates an opportunity to educate the C-suite and the entire organization that cybersecurity is a strategic enterprise business risk. Good cyber governance means three things: 1) understanding where your data is and how it runs through your system; 2) identifying how cyber information is reported through the organization to the C-suite and the board; and 3) ensuring a current information security plan is in place.
Now consider phishing in the context of creating a good information security plan. It will include technology that identifies emails that look suspicious (i.e., one from a law firm in which the law firm’s name is misspelled). It should also include processes and procedures that are followed when someone receives an email requesting a wire. Lastly, training multiple times over a year to educate employees about characteristics of phishing emails is a must.
Evaluate what processes and procedures are needed when it comes to emails requesting wires from the CEO or CFO. Should there be at least a two-step process where the CEO or CFO verbally approves it or where certain wires require the written approval of at least two people? The idea is that a control is implemented where an email alone is insufficient to initiate a wire transfer.
Training employees to identify characteristics of phishing emails sounds easy; however, you need to consider human nature in its implementation. If you bombard employees weekly about phishing, very quickly they will treat such emails like spam and immediately hit the delete button. On the other hand, training employees once a year or once a quarter will prove indistinguishable from the daily clutter in your employees’ overcrowded email in-boxes.
What does seem to resonate is making the education fun. One might consider a variant of a bug bounty for the employee who submits the most phishing emails in a given month. Another effective technique is to send an email alert with the phishing email and show the employees what made the email fake, so they can see it for themselves.
I recently interviewed an in-house counsel on the Baker Donelson podcast Cyber Exchange, and she talked about the increased effectiveness of employee phishing training when there was real thought behind making it more engaging. She also emphasized that the success of such training depended heavily on the C-suite clearly communicating to employees the importance of good organizational cyber hygiene.
Phishing will continue to be the most effective cyberattack method because it takes advantage of human nature that is under siege from the dizzying pace of technological innovation. Phishing simulations also provide a teaching opportunity for in-house counsel to demonstrate to the C-suite and board that cybersecurity is a strategic enterprise business risk. The C-suite, in turn, must communicate to the organization that good cyber hygiene is a priority of the organization. Once that is done, in-house counsel need to quarterback a cross-functional team to create interactive, interesting employee training around phishing as part of an overall information security plan. Only then can you begin to reel in the big phish.
Justin Daniels provides strategic business and legal advice on cybersecurity issues for middle market companies. A shareholder at Baker Donelson, Daniels founded Atlanta Cyber Week and launched the podcast Cyber Exchange in April.