Spear phishing attacks - an acute threat
Especially in times of corona, attackers increasingly take advantage of the 'human weakness' and use various manipulation techniques to steal passwords, data or large sums of money . Just a few years ago, the attacks of cyber criminals were random and immature. An unspecific phishing e-mail, such as a fake Amazon invoice, was sent to countless recipients with a generic address. Nowadays, however, attackers take advantage of a wide range of information that they can view online about the target person. They gain this information via social media such as XING, LinkedIn or even Facebook and can easily use it for targeted spear phishing attacks. This is exactly what makes these attacks so difficult to detect.
Security awareness trainings: realistic & regular training
The question therefore arises as to how users can best be prepared for targeted and well prepared attacks. In everyday life, it is often habitual automatisms that lead to dangerous situations. First of all, it is therefore important to understand how users can permanently change their habits. Philippa Lally and her team from University College London (Lally, van Jaarsveld, Potts & Wardle, 2010) showed that it takes about 20-66 days of repetition before a habit runs off automatically, with complex projects requiring more time. So for the participants, it takes some time of repetition before it becomes part of their daily routine to critically review emails and notice any abnormalities.
How can security awareness be trained?
One of the classic methods for transferring knowledge is the classroom trainingwhich has the advantage of being able to involve all participants directly. However, there are clear disadvantages in terms of time efficiency and scalability. Furthermore, the frequency of the content is not enough to bring a change in the behaviour of the participants: even with a captivating and informative training, everyday life has regained the upper hand after a few weeks and the good intentions are gone. In addition, in times of corona, classroom training cannot take place at all or only to a limited extent due to the health risks.
In addition to classroom training, E-learningmodules or webinars are also available to ensure that participants get basic knowledge. This measure scores well in terms of scalability and can therefore regularly provide a 'nudge' in the right direction on a wide range of topics. In addition, these digital learning events can also be easily implemented in times of working from home. However, even with this measure, the company does not find out how the employees deal with phishing attacks in everyday life - so it remains unknown whether the measures taken are already sufficient or whether further activities are necessary
The possibility of phishing simulation leads to a transfer of knowledge and a change in behaviour of the participants. These are regularly recurring challenges in everyday working life and the use of the 'most teachable moments'. In addition, the simulation enables the measurement of awareness and thus provides evidence of the effectiveness of the measure and the current security level. The disadvantage is that the focus here is only on phishing attacks can be compensated by combining this measure with e-learning and/or face-to-face training. Potential problems - such as frequent, internal inquiries and disgruntled employees - can be prevented with the help of a well thought-out introduction and good communication. If this is taken into account, this effective training measure can be combined with positive effects on the perception of IT security officers.
If you decide to use phishing simulations as a training method, there are therefore 5 must-haves to consider for a successful implementation:
The 5 must-haves for security awareness trainings
- Realistic spear phishing simulations
Simulations should be implemented as realistically as possible for an ideal learning effect and safe handling. Just simply sending mass e-mails to everyone is no longer enough today: Adapted to the real actions of cyber criminals, the attacks should be customized for your company and individual users. For example, information from professional and social networks can be used to realistically personalize the simulation. In this way, current attack vectors and meshes are always covered and the participants are optimally prepared for the emergency in a protected environment.
- Get meaningful results from phishing simulations
Click rates alone are not a good measurement unit for evaluating the security awareness. They can vary greatly from email to email - especially when internal information is used. It's easy to create a phishing e-mail that 80 percent click on or one that only 2 percent click on. However, this does not say how good the employees really are, but only how well the phishing e-mail was prepared.
Therefore, a procedure for standardized measurement should be used, in which spear phishing e-mails of different levels of difficulty are sent. In this way, security awareness can really be measured and changes can be detected if they occur again.
The scientifically developed method of the Employee Security Index (ESI®) can help here: The security awareness of the participants can be determined in a dedicated way and made visible with the help of the ESI®. This transparency makes it possible to plan further actions in a targeted manner for groups of different strengths and to check the success (Return on Security Invest - ROSI) of training methods.
- Producing a lasting learning effect
As Philippa Lally (see above) has shown, people do not learn things overnight: changing trained behaviour requires a certain tenacity. For this reason, an automated tool should be used - through scalable and continuous training, all participants adapt safe behavior in the long run.
The results speak for themselves: Our customers usually need at least 6 months to achieve secure behaviour throughout the company.
- Embedding the security awareness campaign in the corporate culture
It is particularly important to achieve acceptance among employees for the security awareness measures and to give them a good feeling. Under all circumstances, a feeling of surveillance should be avoided. The tenor should not be "the IT against the employees", but "the IT for the employees".
Therefore, the simulation should be announced in advance and the employees should be made aware that IT security cannot be achieved by technology alone. Only together - by technology and users - current attacks can be repelled. Everyone must do their part. In order to support colleagues in this, an interactive training program will be introduced which will also help employees in their private lives.
Also make it clear that there is a protected frame: The analyses should always be anonymous and group-based and should not allow any conclusions to be drawn about the behavior of individuals. Employees will be happy to take part and incorporate the topic of security awareness into their everyday lives, both at work and at home.
- Involve works or staff council
The works or staff council should be informed at an early stage and its questions should be included. It is their task to protect the employees and it is therefore only normal that they ask questions about the process.
We can recommend the following points for dealing with works and staff councils:
- Resolve issues
- Communicate early and transparently to committees such as the works council, employees and superiors
- Focus on the training character of the simulation - the private use is also attractive
- Communicate results only in anonymous form
However, if this is well prepared and the above-mentioned points are respected - especially the protection of employees through anonymisation - a smooth process can be guaranteed. Most works councils even expressly welcome the measures, as they teach employees important skills for their private lives while remaining entertaining.
If you follow these tips, nothing stands in the way of an instructive and successful spear phishing simulation.