Cybersecurity, Policies and Training

For a Stronger Human Firewall, Use Tough Love

It all started with a valentine.

Earlier this year, my team and I aimed Cupid’s arrow at Businessolver employees to show them that—to borrow a phrase—there’s a thin line between love and bait: We orchestrated a phishing simulation via an email claiming to be from our CEO wishing them a happy Valentine’s Day.

Was it mean? Maybe a little. Did it work? Like a charm.

About a third of our nearly 1,400 employees were caught in the Valentine’s Day fake phishing net, believing our CEO had sent them a holiday greeting. However, word quickly spread among the entire workforce, giving our tech and security teams the effect of having initiated engaging, just-in-time, pass-it-along security training that employees will remember going forward. Employees are now far more likely to think twice before opening and/or clicking on a link in an email—from our CEO or anyone else—which for my team is mission accomplished. (I concede that it does raise a bit of a problem for our employee engagement team, though.)

When you’re tasked—as IT and security teams are now—with stretching the “human firewall” beyond the perimeter of an organization’s headquarters to reach hundreds of home offices across the country, the ends justify the means. In other words, today’s cybersecurity training has to incorporate a little tough love. 

As I’ve noted previously, today’s hackers are smarter, faster, and bolder than ever before—and we security professionals are on a race against time, technology, and human nature to catch up. According to the 2021 Gone Phishing report, co-sponsored by Microsoft and Terranova Security, after launching phishing attempts on some 1 million employees working across multiple industries and organization sizes, about one in five (19.8%) clicked on the phishing email link and 14.4% went even further, downloading a document listed on the phishing simulation web page.

One-fifth of your workforce opening the door to potential hackers is a nightmare scenario, designed to keep security pros up at night—so imagine my horror at one-third. Still, it was just one of the four to six annual phishing simulations that Terranova and Microsoft recommend in their report; they also recommend organizations aim for a 5% improvement over 12 months in terms of catching fewer phishing victims. I’m biased, but I think our tough love cautionary tale will bring us a bigger ROI—especially since in addition to showing employees tough love, we follow three other guideposts in real-time security training that I’d recommend for other organizations:

1. Give grace. Did we shame the employees who clicked on our fake valentine? Of course not. We made sure to share widely how many employees clicked as well, so they knew that while they weren’t exactly in “good” company, they weren’t alone. We also reassured them that these phishing attempts are specifically designed to trip them up, and that we specifically used emotion as bait—because that’s exactly what hackers will do.

2. Help them learn. Again, this wasn’t a phishing expedition simply in the name of being heartless on Valentine’s Day. It was just-in-time training that helped urgently drive home what employees should be on the lookout for when it comes to phishing emails. More importantly, it helped emphasize that when it comes to being part of the human firewall, employees need to have their guard up at all times.

3. Provide positive reinforcement. The silver lining in our scenario is that two-thirds of Businessolver employees didn’t click on the fake valentine email. Our team made sure to acknowledge and congratulate them! We rewarded employees who didn’t click on the link, as well as those who didn’t click and took the extra step to report the email as suspicious. It was doubly effective in offering positive reinforcement for desired behavior and spotlighting employees that their peers could look to as role models for sound security behaviors.

Hopefully, these three tips can be helpful for your organization in strengthening the effectiveness of ongoing security training. With a breach occurring about every 39 seconds, professionals need to use every arrow in their quiver to keep hackers at bay—even if they have to borrow one from Cupid.

Greg Reynolds is the Chief Technology Officer at Businessolver, a provider of SaaS-based benefits technology and services.