Call it a case of instant relevance.
“With regards to phishing, all it takes is one to open the doors to your network and allow access to your business.”
That’s how James McQuiggan, Product & Solutions Security Officer for Siemens Gamesa Renewable Energy, starts our most recent SecureWorld Web Conference.
He is quickly followed up by Rebecca Brown, Program Manager, Information Security & Compliance, for Arizona’s largest electric utility which serves 2.7 million people.
“Why do we phish our employees? Because the threat is real,” she says.
She detailed the growing and maturing phishing program at Arizona Public Service. It started in 2013 with a 19% click rate on that first self-generated phishing email of an adorable little kitten.
Now, four years later, she believes they’ve changed company culture and that the business is safer as a result.
“We have moved forward with spear phishing and tests that are more specific to individual employees,” she says.
The company’s executives are on board and are now competing.
“We do quarterly reports on the number of employees in each VP's group that click. This really brings out their competitive nature. None of the executives want their team to be on the top of the click-through list.”
Erich Kron, Security Awareness Advocate with KnowBe4, brought a wealth of research to the web conference, based on the more than eleven-thousand customers the company serves.
For example, at this point in 2017, here are the most popular phishing emails coming to corporate inboxes (click image to expand):
Is there a window where employees are most likely to click the link? Yes. Research says employees are most likely to click on a phishing link within one hour of receiving the email. This phishing pie chart makes it very clear:
That's a powerful statistic: 54.9% of people who do click on a phishing email, will click within 60 minutes of receiving it.
A clear message from all presenters in the web conference is simply getting employees to slow down and use situational awareness to make a decision.
“We need to teach people to have reflexive behaviors. It takes a while to help them develop muscle memory. That’s what you’re doing, you’re building this stuff up until they do it automatically,” says KnowBe4’s Kron.
Daniel Reither, Manager of Information Security for Health Partners Plans says maturing your phishing strategy is crucial. “Cast the net far and wide; expand its original scope, measure it.”
He says you must share the resulting metrics both laterally and up.
And make sure you prioritize the effort. “The commitment to the program cannot be a project. It needs to be done over and over.”
And maturing your phishing exercises requires increasing real-time relevance.
“Be social, and put our ears to the ground to hear what employees are talking about, what’s in the news, we’ve done campaigns after fire drills and when big events are happening in Philadelphia,” says Reither.
These are just a few of the points raised during the web conference. For more fresh insights and research around phishing, you can listen to “How Phishing Your Users Will Make You More Secure” on demand. Simply register here.
You can listen in the car, at the gym or while your kids are at practice—and help secure your business at the same time.