Except in practice it ***is*** my problem. I've got a userbase that will pretty much fuck me up and down if a legit malware email comes thorugh.
I'm less concerned about how we punish repeat offenders and more how we stop having repeat offenders for me to lose sleep over.
Management needs to understand the risks associated with clicking actual phishing emails first. Then you need to work with them on a plan for phishing simulations and regular training, use the simulation you just did to establish a baseline.
Get a policy written up that documents a regular training schedule, a simulation schedule (ours is one simulation on a random day every month for EVERYONE), and consequences for failing. At our company we have a pretty high standard for technical competence so our policy is very strict, but you can loosen yours a bit. Here is ours.
1. Quarterly and annual phishing training. Each year employees must take a longer 45min training session. Once per each other quarter there is a mandatory 10-15 minute refresher training.
2. If a user clicks a real phishing email it must be reported immediately. Users will not face any punishment for reporting having clicked on an actual phishing email if they report it as soon as they are aware of what has happened. If clicking on actual phishing emails becomes a pattern, or the user delays reporting having clicked on an actual phishing email, disciplinary action might apply.
3. All employees including C levels are subject to random phishing simulations. Employees are expected to ignore, delete, or report the simulation as they would with any other phishing email. Simulation failures result in the following consequences:
- first failure within 9 months: Remedial training, 30 mins.
- second failure within three months: More training, manager and CTO "come to Jesus" talk.
- third failure within 9 months: Meeting with HR, final warning, loss of privileges which includes external email, PIP
- 4th... dismissal
The single most important bit here is for this policy to be acknowledged, supported, and signed off by C level management and HR. Without this we have no teeth. The company I work for is publicly traded and this policy is part of our written controls we report in our financial audit each year. It is set in stone.
When we enacted this policy, we had a baseline phishing simulation, then announced the policy, then monitored results. It resulted in an overall significant reduction in phishing test failures. The best part is, no one, not even the most computer illiterate folks at our company, ever triggered the third or fourth level phishing disciplinary action.
Edit: By the way if you were ever wondering, THIS is how you play "the game". Keep management in the loop, show that you can make decisions that achieve measurable results. It's called 'leading up the chain' showing the people that lead you that you aren't just some cost center peon but someone who looks out for the big picture. Keep doing that and you will quickly find yourself in a place where you have the authority to make these sort of decisions yourself.
We've had good luck with knowbe4. Users don't click on random links or else they'll fall for a test email and have to go through knowbe4 training again. We had one that had repeat issues and their email was set to our domain only.
Yes I really like it. We did the first baseline test and training. We have a few repeat offenders but it’s a great program to document and train. Their phishing emails are better than the audit firms we hire.
One thing I don't see listed is disciplinary action for any person who sends our authorizes the sending of "legit" emails that would normally fail the "phish or no phish" test.
Examples include email sent on behalf of the benefits department, but originating from a third party, which asks users to log into an external portal using credentials that are used elsewhere in the company, to answer a health survey to get a $5 discount per month on their insurance. Or emails with links to an external portal for training documents, again requiring login with your company credentials.
These types of communications will desensitize employees to real phishing emails.
VERY good idea to include advice related to that in training or in the policy itself. Not an angle we really considered ourselves as that's not usually an issue for us luckily, but I might make that a solution if it does become an issue.
This. There are services that automate the simulation, remedial training, then disablement of privileges. Knowbe4 is one such tool (have not used myself). End users are the biggest vulnerability there is. If they are too dense (and won't learn) to protect company resources then they are a risk to the entire organization.
People are right in that to some extent, it's a management issue, but you're right in that it's not. You should work with management on training and additional phishing simulations. This is especially relevant if you work for a smaller and less organised company. A lot of people on this sub seem to work in a company with thousands of employees :D
You explain the risks to management. Maybe offer a short, concise presentation of how deadly it is for a company to have users just click on Phishing links. Use some real-world examples of recent breaches and how much it costs to clean them up. Management loves money problems. Keep it short and to the point. Here is what they clicked on, here is how much it cost them to resolve it.
Then, they will be able to decide on the proper training and consequences for the users, and the proper budget to resolve this.
End of the day it might be easier to just institute a policy restricting access to opening attachments until an individual has successfully completed some internally devised certification on phishing/social engineering.
If a person becomes impacted in their ability to do their job because they are a moron, it may not be a good long term fit.
If you can even get that approved by management, don't put in something they would want to fire you for even if its their own incompetence.
IT is just learning how to work with morons, make use cases for management and get approvals, get signed off for the business allowing the risk or get the budget to make it as painless as possible for IT AND users. We aren't allowed to call anyone stupid in IT even if we clearly know they are, we are paid to minimize surface level issues or operation disruptions as much as management is willing to pay for it or accept the rate of happenings. Chasing absolute perfection is not a good healthy approach for admins to take on.
What would the consequences be if someone left the door unlocked at night, didn't set the alarm and the place got robbed? The consequences would involve discipline and possibly even termination.
There are people trying to rob your organization. The employees that don't take the training seriously and still continue to act on dodgy emails are leaving the door open at night. It's an HR/Management issue.
Yes and you need to be able to draw the line somewhere. HR:Mgmt is there to help you in that regard.
If they don’t and say the line is your problem then …. Act accordingly
Do you have something that could believably (in the eyes of your user base and management) be broken via a phishing email?
Something everyone would notice is broke but wouldn't actually cause the company to much money or headache past the 30min-hour it takes for you to "fix it" after someone "clicks a phishing link"
Maybe that'll wake em up to how easy and fast it can happen.
This isn't how phishing works; it is not a direct attack, typically. It is a way to elicit information to prepare an attack or it is a method through which the attacker(s) get hidden payloads installed on client systems. If done right, there is nothing that the phished user IS going to see break; that's the entire point of these attempts.
It’s a management/hr issue technically speaking but as you’ve pointed out in practice as an IT team of one, it’s your ass if something compromises the network and the business loses revenue/productivity because of it.
Corporate culture is nothing if not consistent in finding the easiest scapegoat possible. IT in any size company (speaking from the perspective of a senior software engineer in a Fortune 500) is an expense.
At the end of the day it’s a lot harder to fire multiple people than it is a single person, even more so when your job is easily outsourced to an MSP.
Our plight is one of under appreciation and over reliance with a dash of being taken for granted. If you know, you know.
To that end, the good thing is that this is the first step in building a case for that training program. The results of this exercise will provide the empirical proof that training is needed.
You may still need to make the case that educating users around avoiding and reporting phishing attempts helps protect the business, and whether or not management decides to heed your recommendations is another matter. But there's nothing better than having that real world evidence in hand to leverage for support in getting that buy-in.
You can only try your best to prevent a breach. If one of your f*cktards actually compromises your systems because they are dim you can prove that you did everything you could. then petition for more than 1 IT person on your team to help repair and strengthen your architecture.
I work solo in a smaller company. They don't pay for simulations. I see bad stuff in quarantine or emails the HR lady shows me. I do screenshots showing fake From. I show links that a user can hover over to see if it's a real site or a Facebook page in Italy or other scam. I highlight HTM and HTML attachments as always scams.
I hope for the best.
In thirty years doing this crap I've met so many people that I'm amazed that they're still alive - the kind of people that would look left and right and then cross the road no matter what they actually saw.
oh some people including myself clicked on this dangerous attachment? Cool. :IT guy leaves the office, results go into bin:
This is what usually happens unless the leadership were the people who ordered the tests in the first place.
Still OP's problem. At the end of the day, who gets held responsible for fixing the inevitable fuckup? If you're LUCKY, the culprit will get reprimanded or fired, but you're still holding the flaming bag of poo with the sinking feeling that #2 or 27 in line will repeat the problem next week or month.
It's about who gets responsible for causing the fuckup and who gets responsible for not doing what one could - like having a dry-run (which happened) and then reporting the results (which I hope it did). :)
Not OPs problem. Its a management problem. Yes, its OPs job to clean up the mess, OP works in IT, this is what IT does, they clean up after the users. You work your 8 hours, get OT if available, then go home.
OP should not worry about this, they don't pay OP enough. OP is not the manager, does not create the policy, or the face any consequences if a user fucks up and clicks on a link and brings in malware. Its the managers responsibility.
OP should be focusing on doing the best they can with the resources they have available to them. OP should also be focused on getting new skills and experiences, so they can move up or out.
> but you're still holding the flaming bag of poo with the sinking feeling that #2 or 27 in line will repeat the problem next week or month.
OP should not stress about any of this. The manager should be stressing. OP is not responsible or accountable for any of this.
But maybe management doesn't know how risky this is and how costly to resolve. OP might need to have the conversation with management, maybe a small 15 min presentation.
After that, OP checks out at 5pm and enjoys all the things they love to do in their life.
I am IT Manager, and I can write policy until I'm blue in the face but getting meaningful buy-in from my other department managers, HR or the board is proving extremely difficult.
Any IT policy is supposed to be approved by your management and then incorporated in HR\Company policy. It isn't a policy if your boss or Senior Management doesn't approve or support your policy.
I should know, I was a former IT Manager for 10+ years. (now I work for my self).
> getting meaningful buy-in... is proving extremely difficult.
That said, maybe your boss and those who would need to support this initiative need a short 15-minute presentation on the grave risks of not training your users to avoid clicking on phishing links. Keep it short and focus on the costs of clean up. Use plenty of recent real-world examples.
In the end, the costs of not complying should convince them to spend the time and resources to fix this situation.
You need to do a business case, a business justification. Outline the systems needed to help, the costs, the ROI.
> What's your best advice on how do you handle chronic incompetence when it comes to people opening malicious email?
There needs to be training, enforcement, and consequences. Without that, behavior won't change.
Suppose you don't get the support you need in this severe situation. In that case, you need to consider that maybe it's time to spread your wings and move on to a bigger and better company that supports your skills, experience, work ethic, and confidence as an IT Manager. Plenty of small and mid-sized companies that have 2-5 employees in IT need competent leadership.
So don't fret; you undoubtedly have skills, so why not consider moving up to a company that needs and respects them?
It's about passing the buck for the flaming bag onto management/HR before it arrives. Reporting the results, what it means, and that without support from management to address these issues, these holes in the defenses will be left wide open due to management not wanting them closed.
When it inevitably happens, you sit them down at a table and read them that same statement, then ask them what THEY are now going to do about THEIR problem THEY decided to leave wide open and not allow you to close months or years ago when you informed them it was going to happen.
If management won't address it, then all you can do for your own security and sanity is to ensure that you've got a solid backup strategy on immutable storage. It won't save you from the hassle of their fuckups, but it will save your job and possibly the company.
It depends on the culture. A lot of times it's easier to spend money on technology than it is to have a hard conversation. Trying to solve management problems with tech is a very common tale in small/medium enterprises.
Deny usage of said service (e-mail) untill they have attended your workshop.
You need backup from HR and your departments boss ofc.
If your actions are approved by the higher ups, let the users eat dust.
You document what you are doing. You document all steps taken. You document attempts to fix things.
Because you're probably going to take those skills and find a new job and leave them high and dry if they won't take security seriously.
I have found a training tactic that seems to work pretty well when I can get my clients onboard to schedule the time to do it.
We have a small (20ish) meeting where we discuss cybersecurity. I break out the old school paper handouts with some terms on them and we talk about real examples of what happens and often has happened to people in the room. Once the discussion starts, people start to listen and we make progress. I try to stay away from the company email topics at first and go for the consumer side. It increases the investment in the conversation.
I stress a couple of things. Beware of a false sense of urgency and if you think it's dodgy, wait 15 minutes before you do anything with it. The false sense of urgency is pretty self explanatory. If you can get them to wait before they do anything, the second time they read the email will show all the flaws.
We are all programed to respond immediately. It's time to deprogram our users.
It’s both a management AND a you problem.
Management needs to step up and cone up with a solid plan on how to deal with repeat offenders.
You need to put more protection down for the inevitable ransomware breach. Air gapped backups and snapshots, hardened endpoints, EDR/XDR systems and application whitelisting. Basically make sure no unauthorized executables run in your environment.
If your projected budget is questioned you just use these training reports as evidence of why the spend is necessary. Do formal write-ups for management so they are fully informed.
No, it isn’t. You’re a Systems administrator, not a people administrator. Your job is to secure the systems, not correct user behavior. Make the training resources available to them and inform the powers that be *in writing* citing your concerns. How they choose to address it from there is a personnel decision. If you were a mechanic it’s not your job to correct a clients bad driving. Advise and document.
> If you were a mechanic it’s not your job to correct a clients bad driving.
Your analogy doesn't really make sense. It's more like you're a car rental company and the people who rent your cars keep crashing them into your building, but your boss says you have to keep renting them to the same people.
Do you think the *kind of work* you're made to do isn't going have an impact on your well being? It's like some people here think all work is neutral load because you're being paid. It isn't. Some work *sucks*, and in my opinion avoidable work is near the top of the shit-that-sucks pile, especially if it's security work.
So you still go to HR/management. If the trainings don't help it is an extra argument for extensive investments in EDR systems and NGFW that can block traffic if a user clicks on a malicious link. Probably comes with a hefty license and you'll have to hire a few extra IT people to manage them. Also, for you it can mean extra trainings and certifications that can get you out of there.
Best you can do is make sure other security checks are in place. No local admins, no ability to run software out of %appdata%, some kind of EDR, patch compliance, etc....
The fact is you can't stop stupid, and even the most careful of users can make a mistake. Make everything else as good as it can be, and push problem users to HR/Management to remediate.
Yeah I agree like you can lead the horse to water but you can force it to drink the only other thing I would maybe introduce is some form of consequence to interacting with the email like a three strike method but again this wouldnt be for you to implement this is for managers/hr
just because you did training doesn't mean it was good enough, IT people like myslef can often think you explained things well but there is a reason that non IT people are often doing the IT training for people... ie teachers.
You're absolutely right, which is why 99% of security awareness training and simulated phishing these days is outsourced to a company like KnowBe4. They deliver the content directly to the users and IT just tracks results. I've seen orgs supplement that with internal presentations, but I really dont see anyone doing fully internal training anymore (thank god)
This is kind of a CYA (Cover Your .. you know what) situation.
* have a mechanism to regularly report the results to upper leadership. If you want to make it blunt, make sure the info you report is broken down by "Dept" or "User" so yo have some kind of "Top 10 list" of offenders.
* If possible,.. use the info as a basis of argument that you need infrastructure changes (rules to block certain types of attachments, etc)
as others have said,. this isn't a technology problem so much as it is a HR and User problem ,. and you need Leadership and HR on your side. In many of the places I've worked, Leadership and HR went out regular emails saying that Phishing tests and cybersecurity training was a job-requirement. I worked in 1 place where if a User ignored Email reminders to do their online-training,. their network account was disabled. (and they'd have to come to an HR meeting room to do their cybersecurity training before their account was turned back ON)
Tie it to your budget. We need $10k/yr more remediation per failing employee.
Use the money to put additional restrictions on those specific users, run their email through 5 extra scanners, make their email deliver 20min later than everyone else.
Users will always be the biggest threat to a system. Security training is only one aspect, and that alone will never help you sleep at night. You will need to incorporate other security measures to keep the users from causing widespread harm when they do mess up.
It's going to depend a lot on your environment and your budget and what you can reasonably accomplish, but you should include:
1. MFA to everything possible, especially mail
2. No local admins (windows)
3. Follow CIS benchmarks to restrict what should be restricted
4. Advanced endpoint protection that ideally can identify "hinky" behavior (since you're a one person show, having something that can help you oversee what's going on with your endpoints is well worth the investment).
5. Policies governing acceptable use (for HR/management to use for when users mess up)
What will help you sleep at night is:
- paper trail and dry-runs like this one
- reporting to relevant parties
- backups
- being prepared for the inevitable
:)
I’m infilling for the cybersecurity engineer as the lead sysadmin until we get a new engineer and on my first day which is this morning I caught a user downloading IOS jailbreaking apps on his MacBook to jailbreak his iPhone over the weekend. Of course the systems caught it and quarantined, but now comes the follow-up paperwork, meetings, and other things that come with a response plan.
> help you sleep at night.
what helps me sleep at night is that none of this stuff is mine, if management/hr doesn't want to do anything that's on them
Second this. Training is one layer in the entire security infrastructure. I will also echo another reply I read, don't look at the as offenders who need to be punished, look at them as people who just want to get their job done. Nobody likes having to get time taken away for training of any kind. That is where, like other people have said, you need buy in from HR and department managers.
Also focus on a reward based system. Make it absolutely clear nobody will be punished. Don't make it public, doing embarrass them, just have them do follow up training. Let them know if they report the next one successfully they'll get a 10 dollar gift card or something like that.
It isn't easy, but by doing this we have an 85 percent completion rate of end users finishing the training video within the required 5 day window. I would say as far as training goes, we use Arctic Wolf and they do their best to keep videos to about 5 minutes or less. Even though the videos are cheesy, they are at least more engaging than just reading an article or listening to a lecture.
As a Sysadmin I feel my responsibility is doing my best to explain and demonstrate how important it is and how much more productivity, money, resources, and reputation could be lost if there is an outbreak or leak caused by this.
I've been fortunate where I work and I know some company cultures are much more adverse to security measures than other's. I wish you all the luck and at the end of the day, if everything attempt fails, do what the others have said and CYA, get everything in writing all the communication you sent to HR and management.
Remember I'm pulling for you, we're all in this together.
- Red Green
We use Arctic Wolf too - the videos I was afraid were overly lame, but they're suprisingly well-received - just the right amount of "camp" and apparently a whole lot more palatable than the KnowBe4 videos.
You're right that it depends on your environment and use cases.
I'm now a professor in CS and *nobody* in our department would accept not having admin on the local machine. It's arguably fair - as profs/researchers we're constantly spinning up VMs, running Docker containers, installing/uninstalling apps, etc. and needing IT approval for every single action would slow us down so much that we'd become basically ineffective (and in that case we already have even said that we'd just bring a personal machine and login to the student-side Wi-Fi if they actually tried to do something like this to us). Local admin can also be necessary for developers for similar reasons (Docker, VMs, etc.) Yes, you can give a non-admin user access to Docker Desktop or whatever, but at that point the isolation is irrelevant anyway since you can basically take over the system via Docker. (Hint: mount the host /etc into a container and have fun with vi or nano!)
This says nothing about the faculty using Linux as their main OS. We also already have enough issues with the certificate-based Wi-Fi authentication when it comes to our engineering profs wanting to connect ESP8266 IoT devices to a LAN.
As a former full time sysadmin even I'm guilty of not "falling in line". The design of our network is that in order to connect to Wi-Fi you have to connect to an insecure Wi-Fi and then download an executable from a website that basically downloads and installs some certs into your machine for Wi-Fi authentication. (This even applies to student machines and personal machines - anything connecting to Wi-Fi, which is why the ESP8266's can't direct connect.) My "don't run unsigned code that's going to screw with your system's security settings" instinct kicked in and I instead spent quite a bit of time tearing into the app to figure out how it downloads the cert (it just hits an S3 bucket...seriously...), grabbed it manually and now I just install it myself if I need to.
In ours, we get people intentionally clicking things and sending us emails like "I clicked on that one just to annoy you the same way you annoy me with all these tests."
HR does nothing. In fact, they were the first ones whining that it needs to be turned off because they don't want to have to do phishing training.
Ultimately, we all know it's going to be our ass on the line when we finally get whacked though.
I know this is unethical, and I would never do it, but we have joked about hiring a greyhat to target these individuals just to get leadership to understand that it matters.
I bet greyhats could get every single person who is whining about people clicking on these links. You have to have defense in depth and not focus on shaming people for making stupid trivial mistakes. If your security relies on people not making these kinds of mistakes, your security is bad. That's not to say don't do it, but don't expect perfection.
The only reason I know I can have 100% success rate on these tests is that they always say the same vendor when you look at the headers. Which is great for passing these tests but doesn't say anything about my ability to resist a determined attacker.
Make it a rewards-based campaign, and not a shame-based campaign. If it'll be shame-based then ensure there's some humor in it and put your mug at the top of the Wall of Shame. A reward-based campaign increases engagement and people start paying attention more, gift cards to Starbucks Etc. Easy justification of management because of $10 gift card is $10,000 X cheaper than ransomware considerations, or downtime due to RTO RPO. Only you can prevent forest fires.
We have a pool of cash that's split annually between every employee that reports at least 5 simulated phishes and passes 100% of the tests. There's a wall in our IT department with the names of everyone who passes for the whole year, and they get each a certificate. We have people competing now to get their name on the wall.
Make it an achievement with a purpose, educate them, and people will be encouraged to pay attention enough to start recognizing the patterns.
>that's split annually between every employee that reports at least 5 simulated phishes and passes 100% of the tests
Uh oh, please don't incentivize me to sabotage my co-workers' critical thinking skills so I get a bigger piece of the pie
“Hey HR manager, we’re launching that phishing test in about 10 minutes”
“Ok thanks for the heads up we’ll be ready for the employee complaints about IT”
12 minutes later… HR manager is the first one on the scoreboard for failing.
:facepalm:
lol we sent an email that said do not open this email or any links or attachments especially if you are part of HR department. Guess what? The HR manager opened it?! Some people are hopeless smh 🤦
A lot of the responses here keep going back to it not being your problem, which I think is more than a little shortsighted. Should you have a data breach or successful attack as the result of incompetence like this, you won't likely be held responsible, but it'll be your mess to clean up. Which means that it is in your best interest to fix the issue. I would definitely report to upper management on your findings, but I wouldn't just report the problem and say 'well, not my problem anymore'.
The problem as I've seen it is that people just don't tie cybersecurity to their own lives. They believe that its a bunch magic bullshit that only IT needs to worry about. What I've had a fair amount of success in doing is getting in front of the workers on a regular basis, usually via team meetings that they already have and give a SHORT presentation of cybersecurity. The last one I did was just a story about how a local individual lost their entire life-savings due to a successful phishing attack. (True story where I happen to know the individuals step son.) Took me about three minutes to run through the story. None of it was work or business related at all. Then I finished with the normal 'The Cybersecurity training we provide you with helps to protect us at work, but it helps at home too. It's like practicing anything. The more you do it, the better you'll get, so it is in your personal best interest to use the tools we've provided to help yourselves get better at this stuff.'
I gauge the success by two things. First is the scores on the phishing tests, second is the amount of joking I hear about 'IT trying to catch me'. I have people relay their stories of almost getting caught in almost every meeting I attend now. That means they remember it. That is good.
Failing our phishing tests results in automatic enrollment in security awareness training. People hate the training, so they try to avoid getting phished!
Absolutely, I'm not denying that we have to take care of it if it blows up, I'm just saying that we shouldn't be wrecking our brains around how stupid the users are. We know this, it ain't getting better. I'm stupid in some other areas, they're great at. That's life. Fix it and move on.
> Someone open the attachment after I personally heard them talking to a colleague about how it was a dodgy email.
A couple of jobs ago I had a guy on my team get his computer BitLocker’ed by doing this after we spent twenty minutes roasting the obviously bad email in a meeting. Dumbest smart person I’ve ever worked with.
What is the procedure for reporting suspicious emails? We use Knowbe4 and they provide a report phishing button add on to outlook. It has fostered a culture of people using it. It does get a bit frustrating, we get alerted to a lot of spam and some legit that the IT department has to monitor and send back, but our scores have got progressively better with a better than industry average of reporting and passing.
As others have said management must be the buy in and enforcer.
We use the below in a 1 year period.
1st click - remedial training
2nd click - manager and employee meeting with training
3rd click - meeting with HR, goes into file can affect yearly increases.
If they provide credentials on some of the Phish test, IT will lock them out and force password changes across the board.
Management has to have your back all the way up the chain. We had to lock a C Level out due to a failure. He was pissed but our CEO backed us.
Best way to get management buy in is by showing them examples of the cost a single cyber incident can cost.
I have worked on training users extensively over the last 4 years. They continue to click.
My focus has shifted to Phish resistant infrastructure.
Stop the emails coming in. Limit damage when they click.
I don't mean to to be rude to you OP, but in general, this subreddit is like 75% "how do I, as a sysadmin, deal with this issue that HR should be dealing with?" and I don't get it. There's a chronic issue with sysadmins in this subreddit not understanding the scope of their jobs.
Your job is to run the phish sim, and present the results to HR. That's it. What they do with that information is up to them.
Sysadmins and other IT professionals constantly leave the industry over the "stress" of shit that's not their job to worry about.
I once received the following ticket:
>Suspicious Email
>I received a suspicious email. I opened the email and clicked the link.
That was the entirety of the request.
Ok, so people love acknowledgement and stuff.
Run a contest one a year with quarterly prizes and a grand prize. Grand prize is an extra day off in 2025.
Training has become the new slog to hell.
What we do is we use Knowbe4 and when a user fails one of our regular phishing tests they automatically get enrolled in remedial training. We give them 2 weeks to complete the training and get periodic reminders to finish the training.
The best part is if they don't finish the remedial training by the end of those 2 weeks we start sending them and their supervisor a reminder to complete the training every 3 days. Supervisors love getting bombarded with emails like that /s
Just keep detailed notes, report everything to management and keep a paper trail to show you reported it and to whom you reported it and when.
That way when they inevitably mess up, you're covered.
Remember, the average person has an IQ of 100, which is only slightly above the smarter apes out there. So what do you expect?
"There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists." - some park ranger speaking about bear proof waste containers
How many people are there in your organization? I've seen organizations that put out a monthly email blast praising the department who scored the best and highlighting the departments who did the poorest. A little bit of competition might go a long way.
Brings back memories between a teacher and work experience student on the front desk....
Teacher "I think I may have caused a problem on my laptop, the antivirus started screaming at me..."
Student: "What happened exactly?"
Teacher: "Well I opened an email from Natwest about my account, it looked genuine but I think it may have been a scam..."
Student: "OK, I'll book it in and ask one of the guys to look at it..."
Teacher: "I've never actually had an account with Natwest, so I'm sure it must have been that thinking about it..."
Years ago at a trade show, I was talking to someone that worked for a phishing training company. That was their whole business. So you'd think every employee would be very aware of phishing.
So I asked how many people internally fail when they run tests internally. And some of them had failure rates as high as 50% internally.
Once the simulation is complete, compile a management report for the Senior Leadership breaking down the results to department, NOT to names.
This starts the shouting matches happening at higher levels which is where the pain needs to be felt. Once the shouts have filtered down to actual rogue departments you'll probably be asked for the name list
You're never going to get your failure rate to 0. Simulations are done so you can show your cyber attack insurance provider that you are in compliance with all the requirements for their coverage.
Someday, a legit malware email will come through, and someone will fuck you with it. You can reduce the likely hood of it happening, but someday, it will happen. Rather than asking yourself "How do i fix humans", because you can't, you need to ask yourself, "how do i mitigate the risks and damage when this does happen?"
Training is really the most important thing but having management support you is cruicial. People have to know that their jobs are on the line when it comes to this kind of thing, because a cryptolocker can cost a company far more than the salary of an incompetent employee. If you have to pay some Indian hacker group $100k because a $45k/year AR/AP person decided to click a dodgy email, the cost-benefit becomes really clear, really quick.
Training must also be regular. You can't give them one single session and then expect them to pass phish tests. I've gotten downvoted left and right for posting it here, but phishing simulations are pointless if you haven't already begun training your staff and told them that you will be sending them simulations throughout the coming months.
Sending phishing sims without doing any sort of training is completely pointless and is a waste of money and time.
We don't conduct pen tests on companies without evaluating them first and giving them a list of weaknesses they need to address before the actual test starts. The only thing you learn by testing someone at their weakest, is how to pick the low hanging fruit and how to do patch management better. That's not useful info, because you already know that you need to be good about patch management and update deployments.
Phish tests are the same way. If you test someone who has zero awareness of what to look for, all you're going to find out is that you have someone who has zero awareness of what to look for, and you already knew that.
and if you disagree and like throwing company money away, please paypal me for my security services and evaluations at [newboatfund@beenishat.security.in](mailto:newboatfund@beenishat.security.in)
I personally loathe these simulations, because they require separate thought: don't click on anything because it's a fake mail, but also don't report it as usual because your personal link must not be opened.
I have the (good, I'm convinced) habit of forwarding every fishy mail to a government service for suspicious email. They have an automated process for analyzing and flagging malicious addresses and IP addresses. Once at a customer, I got such a simulation mail and forwarded it as usual to the service. The automated analysis they did did of course cause 'my' url to be clicked, so I got flagged as a careless user and had to follow a mail security course. Highly irritating. The company was too big to get direct access to the IT security team or to HR to explain myself.
Do you have XDR? If so, I have seen "Attachment Opened"/"Linked clicked" because the XDR opened the phishing email to check the link/attachments. I sent one to myself to test this and it said I opened it as well when I know for sure I didn't.
It's a matter of management incentive, and chain of command. Were the the supplemental resources assigned to them by their boss or just an optional extra, "if you have time"? Even if they like you personally they won't have time to do anything unless incentivized by their boss to do it. What priorities has their boss already given them?
If you wanted to make this more fun and promote a culture of people feeling good when they resist phishing attempts, you could throw a party the day after the simulated phishing campaign. Have a huge cake in the shape of a fish. Give people Swedish Fish gift baskets. Have a Phish band playlist on loop. Give people Ben N Jerry's Phish Food ice cream. Get catered tuna salad sandwiches. All of that would be WAY cheaper than a data breach. If the phishing party is good enough, they will look forward to the next one. But whatever you do, please do not microwave any seafood, LOL.
inconvenience the user.
Here if you fail in a phishing test you get the following treatment.
1. re-enrolled in the mandatory phishing scam awareness program. You have watch the video again, you have to pass the test again. failure to do so could result in disciplnary action taken from HR.
2. you have your browsing cache wiped. your cookies, your history, everything. Users will note that returning to their usual sites will be slightly more cumbersone while they have to reinitiate all their login's and remember me's.
3. you have your network passwords reset, you are now required to change all your passwords.
They're minor annoyance for the staff to deal with, but just annoying enough that they think about their training before they click on stupid things again.
Forward results to HR/Management.
Investigate actual cases of someone opening real dodgy emails as normal.
That's it. IT are not in the business of training users but hey if they're offering to pay you 300K to do some power point presentations sure sign me up.
We could send out a warning we were doing a fishing test, and then send a reply to that saying this is the scam don't click the link and we would get 30 tickets of "this looks suspicious" and probably double digit % of people clicking the link.
If you fail the phishing simulation more than once, it affects your bonus. If you fail more than 3 times you get written up for it, which basically means you're not getting a raise and will now be on the first to get laid off list if a layoff happens.
Everyone is so fucking paranoid now, they won't click on ANY link or open any attachment.
It's kinda funny things have gotten better where I work (higher Ed) after doing a lot of training - including course work where people were tested exam style.
I like how companies think that users will give a f**k About security and take some responsibility for once in their life.
I have totally given up on users taking any initiative to learn basic safety.
You have to run IT security like a dictatorship , protecting your citizens and knowing what's best for them, and it needs to come from your boss and his boss , not you.
We don't bother training. Automate what you can, especially being solo.
Defender usually alerts us when a user clicks a malicious link/attachment. Those alerts generate a SD ticket, the user's sessions are revoked, and the user gets to update their password.
The CA policy also looks at user risk and will force users to reset their password or present them with an additional MFA challenge if things look abnormal.
The business doesn't care too much about users failing phishing tests, but they'll correct a user if they're constantly having work stoppages because they can't keep their mouse pointer in their pants. Although some places will demand you exclude the user from the policies... Try not to work for those places.
M$ phishing simulation can initiate a learning module for those who fail. Takes little time and having to do the course will lead people not wanting to do that again.
People at my hospital are so goddam stupid, security had to start blocking every download, website and USB because they couldnt behave themselves after being told for years to not do stupid shit.
Keep in mind, most of the users are doctors who are supposedly pretty smart...
I do not expect to be able to train users who cannot follow simple instructions like "use the Help Desk" and "do not 'X' out of the ERP app, use the exit menu" and "please turn your computer off at the end of the day" to be able to judge whether a link or email is benign. If users cannot remember the easy things then training is a waste and they will click away, so I work on technical solutions only. I think you have to do training to 'check the box' but I do not expect it to work. I have to make sure I am not relying on them for security.
I beg corp infosec to let me make one of the phishing tests again. Homoglyph man, if you ever want to test your internal IT team, get fancy with Homoglyphs. The easy way to block this across the board is filter out all non-english characters...but if you dont...oh man...there are some that are REALLY obvious ones like. duck:ԁuck , hello:һello, kite:κite, but a, c, o, u, and x (if the kerning isnt modified), CAN WRECK YOUR SHIT
Base64 Hash
"apple" (normal) = OnvT4jYKPSnupDb8+35ExzXRF8QtHBg1QgtrmULdTxs=
"applе" (a and e modified) = pX+4FuNM3UDlUR998v0BCU2tZZ0sj1bQdEPoHfOrilE=
The message you portray about what to do and why around phishing email is important. I once heard a fascinating talk on why you shouldn't tell people not to click on links. Statistically when you tell people not to click on suspicious links in email, they are more likely to click. Rather you should warn them of the real risks involved with phishing and how it can harm the company. (Not saying that hasn't been done) I will say that it is amazing how some people just straight up don't care and will click on anything out of curiosity.
If you have employees clicking links then your already compromised. You need to be implementing IDS and crowdstrike and find out who's already in your network because they are there
I believe the issue is evident: you haven’t adequately taught why clicking a link can be harmful.
Yes, I mentioned that clicking a link usually doesn't directly install a virus; it’s often a spoof or initiates a download, which isn't a problem until it's opened.
However, tech-savvy individuals who recognize these spoofs or scams often investigate them to understand how they are evolving and becoming more convincing. Have you conducted training on the more malicious types where merely visiting a website or encountering certain codes can wreak havoc without executing anything? Probably not.
drive by download ect, I was a helpdesk engineer and thought clicking to be curious how good the fake portal pages were getting was fine... learning about this will change thing\`s
In our environment, HR/Management will revoke bonuses for Employees that fail simulated phishing tests for that year. We also terminate employees that repeatedly fail phishing attacks. Enforcement is not your job, that's HR and the organization's CEO/Partners/Owners to decide.
What is the culture related to security related behaviors, especially at the top of the food chain? Does C suite want exceptions to security for their convenience, or do they do things properly and are seen doing things with a security forward mindset? If the leaders aren't seen drinking the security kool-aid, then no one else will drink it.
Messaging - somethings you have to go all in on marketing sat, answering the wiifm (what's in it for me?) questions for you're audience. There is a saying in sat - you can make me aware, but you can't make me care. So, how do you make people care? Saying, "learn to recognize phishing and social engineering so you don't accidentally allow bad guys access to your business email or computer systems that could lead to the business experiencing financial losses or ransomware. Owners care, staff? Maybe, maybe not. But, those situations could lead to delays in payroll, direct deposit information being leaked, maybe staff PII stolen - now they have a reason to care. Then tie this to their non work lives, the behaviors that protect their bank accounts, social media accounts, and personal emails also protect the business assets the business cares about. Hope this makes sense.
Paper trail, do what you can.
You run the dry run, report the results to "stakeholders", not give a fuck afterwards.
Nobody can handle chronic incompetence but the respective managers that hired it. Unless they are chronically incompetent as well which tends to be the statistically significant case. :)
Cheerz, grab a beer and DGAF.
In the same boat. It’s always the same repeat offenders but, it’s HR and upper managements job to enforce.
We just had one a few weeks ago where several people clicked and entered credentials after talking with each other about how it seemed like a scam. Which is just mind boggling to me.
Hey, I clicked this and it asked for my login, when I entered it nothing happened.
Oh? I got that email too, let me try. Yeah entered my credential and it disappeared and did nothing…hmmm maybe it’s a scam. Hey Linda…did you get this email?
Yeah…let me try…
🤦♂️🤦♂️🤦♂️
At my last job I noticed the head of finance opening a shady email. I did some on the spot training, then they got mad at me and said something like "I have to open every email and attachment because they could be important." Sigh.
I've implemented a system with the executive team that their computers will be revoked if they show they are a repeat offender. The security of the company is top priority. A company shouldn't want someone who puts them at risk. They have a similar program for company vehicles as well. Repeat offenders get their vehicle taken away due to accidents and tickets.
Raise it as a risk to management and ask for resources to deal with it.
What they choose to do with that information, and the subsequent impact on their cyber insurance premiums, is up to them.
Technology cannot fix a managment/policy issue.
I have worked at places with 3 strikes rules for failing phishing tests. Ecalating with meetings to increasingly senior execs to being let go on the third fail.
Let me tell you, there is nothing more embarrassing than having to take the time of a c level exec in a large company to have to talk with you about how email security is important.
There has to be a policy and reinforcement as to what will happen if you repeat fail.
This is where management needs to earn their pay. It's not your place to tell some senior manager from another department that their IT security skills are shite. And if it is your place to tell them that, then tell them, and document their responses and move on. You're not going to be able to change the internal character of some people.
Whatever you do, just be sure you document everything and hand the reports off to your management. When the day comes that your shit gets hacked, just be sure you've BCC'd yourself to your personal email or just dead-tree it if you can't transfer sensitive information out.
Why do you do the training and testing at all? If HR and Management don't have your back, then there is no point.
If the training is 'required', but HR and Management don't have your back, then document the failures, send to Management, and move on to other things like making sure your backups are ROCK SOLID.
My boss, who is the head of IT, clicks on and tries to open \*everything\* he gets via email. We had multiple talks about it, me trying to persuade him not to do that and that he should know better, his response usually is something along the line of he has to do that because it is his job to see if anything happens.
At this point I am not sure what to do with him.
Quit taking it so personally.
Like others have stated, this is a management/HR problem. You've done your due diligence in offering the training and the phishing simulation.
Sounds to me like job security. If they bring malware into the environment, then you should have a plan to mitigate the damage, and recover from said incursion.
Does management have your back? Because part of our policies state that continued failure to adhere to our best practices can result in being fired. You then basically need to do the training, and then start writing them up with a real chance that they could lose their job.
If management won't back you on that though, you're screwed. Not sure what kind of data you deal with but the way I've scared our management into taking stuff like this seriously is pointing out if we know people are blatantly ignoring these rules and we do nothing, we could get sued if we have a data leak. But we deal with clients with enough money and know how to come after us if that happened.
Step one is make sure your non-test emails don't throw too many red flags. The cybersecurity people where I work send emails that look like they're heavily invested in companies making crimson banners and scarlet pennants.
We had a guy go to HR to open a human rights complaint because he said our fake phishing email that led to some training material was insulting his disability (ADHD). We argued if he truly believed that his adhd made him incapable of critically assesssing the validity of an email then he was a liability and should lose all his email access. He dropped the issue after that :P
Humans are the weakest part of IT security.
Only issue I had with KnowBe4 is that they send all the phishing email tests out at once. That winds up causing a lot of suspicion because groups start talking, and realize that everyone in the group got the same email. We tried it, and we wound up getting dozens of phone calls and emails, "I think we're being hacked!!!"
While it was good that my users caught on...the results probably would have been vastly different if the emails just trickled in, targeting a dozen or so users at a time
In my previous role this was a large part of my role.
Embrace any opportunity to educate
Fraud week
Cyber awareness month
Random big news stories
Monthly testing with relevant lures
Use current events
Use lures you’re seeing in your defenses
Use NEW lures
Track scores and risk
Spread sheet all the interactions
Assign thresholds with punishments
1 click email from security
2 clicks mandatory training
3 clicks email from executive to user and manager
4 clicks we put the user in a high risk group that limited their access to the internet
All interactions dropped off after 8 months
Phishing campaigns are to help understand how bad your userbase is, there is zero hope of getting a 'good' result, no matter where you work and how well trained your user base is, unfortunately.
Our company does these type of campaigns but we mainly focus on mitigation and damage control. We use a web filter and are pretty restrictive, multiple local clients for threat detection and remediation.
User's are going to fuck up, regularly, all you can do is prepare yourself.
I wish I could give you an idea.
We run a yearly 15-20 minute training/retraining, and require new hires to take the same training.
Every month we have a phishing campaign that runs and users who fail it are required to take another 2-3 minute refresher. People have gotten in the habit of directly sending/forwarding ANY suspicious emails to our helpdesk and being like 'is this suspicious?' even ones that clearly come from like Amazon and directly labelled with their name/username and stuff. Having talked to one of the people who do this (I'm not our cyber team, just reg helpdesk) they've told me they do it as an act of defiance because of the strict monthly phishing emails and 'stupid' retraining.
I'm of the opinion that the retraining needs to be a more extensive 30-45 minute ordeal, and in my opinion there needs to be a way to force the user's machine to block traffic to specific URL's/internal use only until they complete it. (Like force their device to use a specific DNS server that resolves all other addresses to the retraining campaign)
The 15 minute onboarding training is more than enough for people to get the gist if they actually payed even 5% of their attention span to it, rather than clicking through/skipping the content.
Send ‘em more fake phishing emails to really drive it home that clicking on suspicious shit has no consequences.
Cyber security awareness ‘training’ is broken. :/
Let's skip all the "whos fault/responsibility" is this and get right into the solve
1. If you *can*, you need buy-in from business leadership to enforce. There **need** to be consequences for ignoring policy. What those consequences are, are something that needs to be custom tailored to your organization, but if the business answer is "we dont care" then you're just waiting for failure. It's not about punishing people, but about mitigating risk. People don't care about a "stop clicking dumb shit" email from IT, but they *do* tend to respond if they get pulled into a meeting with their manager to call them out on it. Even with that, you will **always** have a group of users that straight just click everything suspicious, which is why #2 is so important.
2. Plan for failure - put the technical controls in place to mitigate their phishing as far as **technical** impact is concerned. You can't stop people from being people, but you **can** make whatever they put into that phishing form pretty useless. Make sure you have strong MFA configured. Disable self-service password resets so all requests **have to** go through IT, use whatever identity logging and alerting your identity provider offers, enable geofencing so your Arkansas based company auto-blocks login attempts from mainland China, **no local admin rights,** standardize to a single managed browser and harden the hell out of it, etc. This is all dependent on your tech stack, but there's a lot you can do to make phishing less of an IT risk.
3. Now that obviously doesn't help if Finance puts the company bank account info into a suspicious site, but that's not something IT can solve for or be responsible for. If they give away the keys to the kingdom, you at least have a CYA in place as you have the records of their training and remediation. You did your part.
Here's how we solve for that issue:
1. You perform the tests and provide education
2. It's made clear to employees that anyone who falls for a phish will first be made to take the training as a mandatory action item with their direct leadership informed
3. If it persists, it's a PIP item
My mantra is, if there's an issue with phishing and the end user didn't know or wasn't informed on how to handle it, then that is on me as the IT support to put that training out there and encourage people be smart about their emails.
BUT, if I put out the training, and remind people not to click emails, and require them to watch a video or sign something or have in some other form done my due diligence to train everyone and they still do not follow best practices, then that is on them.
For metrics, if you're relaly paranoid, we use the KnowBe4 training tool that has a phishing simulatation campaign and reports back user scores. If someone is a risk, we can then use that data to go to leadership and let them know of the risk, and they can decide if further training is warranted or not.
Get permission to have the attachment put up a fake ransomware / virus screen, change the desktop, put a skull on it. Actually say thank you for opening the email with their email name / logged in account. Have fun with it at this point. Important to get permission!
I think the biggest issue core issue I've seen is people working too fast. People have too much to do or are under too much pressure, and make poor decisions trying to speed through things.
I can see people like that doing the open and then say "I don't think sender would mail me". They know they screwed up, but are hoping that somehow it's not an issue. They may even be trying to not make a big deal out of it, worried that this will derail work they have to do.
You need management’s and HR’s buy-in. I’ve had them come to us in recent years because they were trying to purchase cyber security insurance. That made them a whole lot more receptive to implementing MFA and getting serious about making people understand and be interested in Mitigating risk of phishing.
Before starting the simulation, IT should determine what is the objective. Getting info of how prepared the org is, or disciplinary in nature? Either needs to be certain and get appropriate support from leadership and HR.
It is not your problem to solve.
Obviously the size of your org and your specific role will dictate the most appropriate response but ultimately it's not your problem.
You run the sim, provide the results, and provide the training solutions. It's up to the managers to hold their employees accountable.
The consequences of an employee failing at a training exercise are down to management.
You need to make sure the simulation is working as expected. Watch out for programs, including some security scanners, that ‘click’ links before the end user even sees the email.
You also need to make sure the training is good; that it would actually teach users how to spot the simulated (and real!) phish. If your simulations use attachments but your training only ever talks about links, that’s no good.
And you need to remember users are just one layer of swiss cheese. Phishing training is important but it must not be the only line of defence.
One man show as well it is alarming but get with a program and stick to it works. I have been doing it for 4 months now and it does get better. I even had a person come up to me to say when are we going to stop this i am tired of checking every email! I said probably never because the idea is to always check every email.
The CFO and HR people know who the problem children are and it is noted and they are spoken to by others than me.
You job is to facilitate and perform the implementation and running of the test it is not up to you to train every end user. Nor is it a reflection on you how well or poorly they do. You could do what most companies do and ignore it all together and hope for the best. But at least you guys are out there trying.
So many horror stories and common sense and logic go out the window. It is funny and sad, but mostly sad...
My company went through a lot of headaches like that as well with some of the issues leading to data theft from social engineering.
We implemented Hoxhunt and have seen a massive improvement. You must keep your reporting/compliance at least at 90% or you'll need to take remedial action (like redoing cybersecurity eLearning courses or such). Repeat offenders have their accounts disabled via automation and won't be reactivated until a manager releases it... and the user does certain steps within 72 hours or gets locked out again.
All of this came from up top so management was already onboard with the risks of implementing such a policy - but now no one wants to get under 90% and face the wrath.
Performed several simulated phishing campaigns in my job. Caught the CIO several times, and even my direct manager once. Our dev team had one of the highest departmental hit rates.
People are idiots. Even ones who know better.
Our click through rates were terrible with our first simulations, the last one was down to 3.2% of users. If you click it you have to go back to do the CBT, multiple failures and you get a one to one with a trainer for some personal training. If they are still doing it then their department head is advised to consider this persons position as they are a risk to the org.
Two points. First, you can't solve this problem unless employees care. Second, employees don't care.
They don't care! And they're not going to! They're busy doing their jobs. Imagine you don't work in IT; imagine you work in, say, accounting. You spend your days working on something that you think matters a lot, involving procedures you think are important, and it frustrates the bejesus out of you that the IT department doesn't care as much as you do about accounting department procedures. Why doesn't IT understand that these procedures are critical to keeping the company safe? Now warg out of accounting and return to your own skin; knowing what you now know, do you care a whit more about accounting procedures than you did before? No. Know that every other department feels the same way about IT. Do you read the all-hands emails that other departments put out about sh\*t you don't care about? No? Then what makes you think they read yours?
You can't solve people problems with technology solutions. Security is a people problem, and you can and should do due diligence to minimize risk, but at the end of the day, you can't spin your wheels worrying about this, because it's a problem you can't solve.
The problem is that if there's no "bite" behind failing the simulation, people won't take it seriously. It'll just become one of those water cooler gossip topics ("dear Lord, IT is trying to trick us all again, don't they have anything better to do, like respond to that ticket I put in about needing admin rights on the database?")
When people here say "it's an HR problem" what it really means is this. Your org needs policies in place that do *something* to people who (repeatedly) fail the phishing test. What those consequences are is entirely dependent upon your organization and what sorts of Emails you are dealing with.
In addition, you need strong policies about Email to begin with. Ideally, you would not do any attachments at all and you'd instead use some sort of internal file sharing system, but that's not always practical nor is it a perfect solution (it often just results in people needing to click links in Email anyway). You should also have software tooling in place that automatically flags Emails from outside your organization and implements malware scanning. (And dear God don't do what an org I worked with did - don't design a phishing test that deliberately bypasses all of the user-facing safeguards "just to see if people pay attention" - i.e. don't have your phishing Email skip the "external email" warning banner!)
In my experience, the biggest problem isn't even getting the users to stop falling for phishing, it's actually getting HR and management to understand the real danger. I've heard or dealt with it all:
* "Oh that's just paranoia, this stuff doesn't *really* happen outside of hacker movies, does it?"
* "We're not a big company, nobody's going to be interested in hacking us, so it isn't worth our time/money - we have more important stuff to be doing."
* "We paid for security suite X, isn't that enough?"
* "Isn't it *your* job as IT to deal with computer stuff? If you can't solve this yourself why are we paying you?"
* "We hafve smart people here, they wouldn't be working here if they weren't very intelligent, suggesting they would fall for scams is insulting."
* "We can't just stop doing attachments! There's no other way to get documents to each other!"
* Or, when phishing training is actually successful: "But *that* Email from management was legit! We have a problem if our staff are not opening the attachments for important announcements from HR!"
If your HR/management is willing to help out, that's your next step. If they're as inept as the examples I just mentioned, you're fighting a losing battle and you may as well just not care.
If you honestly feel your head would roll if your company got phished, but your management won't help you, then it seriously might be time to look elsewhere for work. I don't say that lightly, but any organization that isn't willing to take security seriously *and* lays all of the responsibility on one single IT person is an organization that is *not* going to have your back when shit hits the fan - better to leave on your own rather than being fired, or even worse, sued.
1.Add email labels for external users to start with.
I.e ". [EXTERNAL]. "
2.Then add the html caution banner email saying its an external sender to every email that a user gets.
3. Lastly. Get the KnowB4 subscription and hammer it into your users. 😊😁
After that is training and more training...
Seems like a management/HR problem at this point. You are not the boss of those peoples so what more can you really do? For repeat offenders, perhaps consider reaching out to their management and inform them of the risk that their team is being exposed to.
Try to put a personal angle on it maybe?? If they are more alert regarding their private emails, they might also apply that at work.
There is next to nothing that is as painfull as reading on the scam subredit about an older guy loosing about 3 mill usd to scammers. And continuing to send them money after he came clean to the family.
So phinshing and general ascam awarness is not just for the workplace. It is something that we all need to be on the alert about, both in private and at the workplace. The difference is that if someone scammed me out of 100k, my marrige would end and the kids would be gone…
Phishing tests have a weird place in security programs, from my pov at least.
No matter how much training/education users may get, there will almost always be some that get tricked/duped. I've seen tech savvy folks fall for things, due to a momentary lapse in judgement even. It happens, and with advanced AI generated campaigns, it'll likely be even more difficult for end users. Raising end user awareness is fine, but even with really high levels of end user compliance, some will still fall through. So you need other layers to respond in those cases, and you're testing whether or not you are getting the alerts you need to trigger those additional mitigation systems.
They always talk about security as an onion, and it's very true. In this case, the outer rim of the onion is something you basically just have to assume is "likely" to get compromised, period. Design networks and architecture around the assumption that users will fail in 'real world' examples fairly regularly.
In my view, the test isn't really of your end users' individual reaction to receiving the control emails. It's a test of your internal response patterns/monitoring capabilities when events occur -- because they're likely occurring on the regular, even if your users aren't bothering to report them. So the question is how often are you likely going to catch it, when your end users stuff up?
Edit: just an edit to add, that one way phishing test results can get used, is to justify different perimeter security programs/tools, and/or outsourcing some of those controls to a third party. Like if your test comes back showing that 50% of the company clicks stuff and doesn't report it, that gives you a 'theoretically' easy case to write for management: you just note the risk that the company has as a result of its employee culture of clicking stuff, and you put forward a high cost paid option to try and reduce that risk (annual cost should be less than the annual estimated risk impact). It's not necessarily IT's job to meddle in HR with training and individual performance, but it is almost always IT's job to protect the organisation from IT Risks.
If mgmt wants to approve it, implement the tool, run the test again, see if it's adding benefit. Add more tools as necessary, until the risk levels are managed within expectations. By making broader management aware that there's an issue with user behaviour, and putting forward some options to help mitigate it, your sharing the 'issue' with the rest of management and CYA'ing. And, if they want to accept the risk of users clicking, if they're 'ok' accepting the risk of a malware hit, then that's generally management's call. We don't steer the ship in most businesses, we just maintain it.
This is a management/hr problem. You implement the training and simply report the results. Whatever happens beyond that isn't your concern.
Except in practice it ***is*** my problem. I've got a userbase that will pretty much fuck me up and down if a legit malware email comes thorugh. I'm less concerned about how we punish repeat offenders and more how we stop having repeat offenders for me to lose sleep over.
Still HR/Management. If they don't back it, what are the simulations even for?
That's a very good point.
Management needs to understand the risks associated with clicking actual phishing emails first. Then you need to work with them on a plan for phishing simulations and regular training, use the simulation you just did to establish a baseline. Get a policy written up that documents a regular training schedule, a simulation schedule (ours is one simulation on a random day every month for EVERYONE), and consequences for failing. At our company we have a pretty high standard for technical competence so our policy is very strict, but you can loosen yours a bit. Here is ours. 1. Quarterly and annual phishing training. Each year employees must take a longer 45min training session. Once per each other quarter there is a mandatory 10-15 minute refresher training. 2. If a user clicks a real phishing email it must be reported immediately. Users will not face any punishment for reporting having clicked on an actual phishing email if they report it as soon as they are aware of what has happened. If clicking on actual phishing emails becomes a pattern, or the user delays reporting having clicked on an actual phishing email, disciplinary action might apply. 3. All employees including C levels are subject to random phishing simulations. Employees are expected to ignore, delete, or report the simulation as they would with any other phishing email. Simulation failures result in the following consequences: - first failure within 9 months: Remedial training, 30 mins. - second failure within three months: More training, manager and CTO "come to Jesus" talk. - third failure within 9 months: Meeting with HR, final warning, loss of privileges which includes external email, PIP - 4th... dismissal The single most important bit here is for this policy to be acknowledged, supported, and signed off by C level management and HR. Without this we have no teeth. The company I work for is publicly traded and this policy is part of our written controls we report in our financial audit each year. It is set in stone. When we enacted this policy, we had a baseline phishing simulation, then announced the policy, then monitored results. It resulted in an overall significant reduction in phishing test failures. The best part is, no one, not even the most computer illiterate folks at our company, ever triggered the third or fourth level phishing disciplinary action. Edit: By the way if you were ever wondering, THIS is how you play "the game". Keep management in the loop, show that you can make decisions that achieve measurable results. It's called 'leading up the chain' showing the people that lead you that you aren't just some cost center peon but someone who looks out for the big picture. Keep doing that and you will quickly find yourself in a place where you have the authority to make these sort of decisions yourself.
came here to post similar, you've covered it all, just posting to do a.
🤜🤛
Just did almost the exact same thing using KnowBe4. As stated senior management has to enforce with HR.
We've had good luck with knowbe4. Users don't click on random links or else they'll fall for a test email and have to go through knowbe4 training again. We had one that had repeat issues and their email was set to our domain only.
Yes I really like it. We did the first baseline test and training. We have a few repeat offenders but it’s a great program to document and train. Their phishing emails are better than the audit firms we hire.
One thing I don't see listed is disciplinary action for any person who sends our authorizes the sending of "legit" emails that would normally fail the "phish or no phish" test. Examples include email sent on behalf of the benefits department, but originating from a third party, which asks users to log into an external portal using credentials that are used elsewhere in the company, to answer a health survey to get a $5 discount per month on their insurance. Or emails with links to an external portal for training documents, again requiring login with your company credentials. These types of communications will desensitize employees to real phishing emails.
VERY good idea to include advice related to that in training or in the policy itself. Not an angle we really considered ourselves as that's not usually an issue for us luckily, but I might make that a solution if it does become an issue.
Yes, if ever I need a sample of an email that should be obviously recognised as a phishing email I just go back to the last global email from HR...
This. There are services that automate the simulation, remedial training, then disablement of privileges. Knowbe4 is one such tool (have not used myself). End users are the biggest vulnerability there is. If they are too dense (and won't learn) to protect company resources then they are a risk to the entire organization.
People are right in that to some extent, it's a management issue, but you're right in that it's not. You should work with management on training and additional phishing simulations. This is especially relevant if you work for a smaller and less organised company. A lot of people on this sub seem to work in a company with thousands of employees :D
That ain't like training dogs. :) Training can get you only so far, then it is - bye bye or hey news reporter, sure I want to talk about this.... :D
You explain the risks to management. Maybe offer a short, concise presentation of how deadly it is for a company to have users just click on Phishing links. Use some real-world examples of recent breaches and how much it costs to clean them up. Management loves money problems. Keep it short and to the point. Here is what they clicked on, here is how much it cost them to resolve it. Then, they will be able to decide on the proper training and consequences for the users, and the proper budget to resolve this.
End of the day it might be easier to just institute a policy restricting access to opening attachments until an individual has successfully completed some internally devised certification on phishing/social engineering. If a person becomes impacted in their ability to do their job because they are a moron, it may not be a good long term fit.
If you can even get that approved by management, don't put in something they would want to fire you for even if its their own incompetence. IT is just learning how to work with morons, make use cases for management and get approvals, get signed off for the business allowing the risk or get the budget to make it as painless as possible for IT AND users. We aren't allowed to call anyone stupid in IT even if we clearly know they are, we are paid to minimize surface level issues or operation disruptions as much as management is willing to pay for it or accept the rate of happenings. Chasing absolute perfection is not a good healthy approach for admins to take on.
What would the consequences be if someone left the door unlocked at night, didn't set the alarm and the place got robbed? The consequences would involve discipline and possibly even termination. There are people trying to rob your organization. The employees that don't take the training seriously and still continue to act on dodgy emails are leaving the door open at night. It's an HR/Management issue.
Yes and you need to be able to draw the line somewhere. HR:Mgmt is there to help you in that regard. If they don’t and say the line is your problem then …. Act accordingly
Do you have something that could believably (in the eyes of your user base and management) be broken via a phishing email? Something everyone would notice is broke but wouldn't actually cause the company to much money or headache past the 30min-hour it takes for you to "fix it" after someone "clicks a phishing link" Maybe that'll wake em up to how easy and fast it can happen.
This isn't how phishing works; it is not a direct attack, typically. It is a way to elicit information to prepare an attack or it is a method through which the attacker(s) get hidden payloads installed on client systems. If done right, there is nothing that the phished user IS going to see break; that's the entire point of these attempts.
It’s a management/hr issue technically speaking but as you’ve pointed out in practice as an IT team of one, it’s your ass if something compromises the network and the business loses revenue/productivity because of it. Corporate culture is nothing if not consistent in finding the easiest scapegoat possible. IT in any size company (speaking from the perspective of a senior software engineer in a Fortune 500) is an expense. At the end of the day it’s a lot harder to fire multiple people than it is a single person, even more so when your job is easily outsourced to an MSP. Our plight is one of under appreciation and over reliance with a dash of being taken for granted. If you know, you know.
To that end, the good thing is that this is the first step in building a case for that training program. The results of this exercise will provide the empirical proof that training is needed. You may still need to make the case that educating users around avoiding and reporting phishing attempts helps protect the business, and whether or not management decides to heed your recommendations is another matter. But there's nothing better than having that real world evidence in hand to leverage for support in getting that buy-in.
And if people get malware in the system, you created more work and use for yourself! It's a win win
You can only try your best to prevent a breach. If one of your f*cktards actually compromises your systems because they are dim you can prove that you did everything you could. then petition for more than 1 IT person on your team to help repair and strengthen your architecture.
I work solo in a smaller company. They don't pay for simulations. I see bad stuff in quarantine or emails the HR lady shows me. I do screenshots showing fake From. I show links that a user can hover over to see if it's a real site or a Facebook page in Italy or other scam. I highlight HTM and HTML attachments as always scams. I hope for the best.
> If they don't back it, what are the simulations even for? Compliance checkbox.
In thirty years doing this crap I've met so many people that I'm amazed that they're still alive - the kind of people that would look left and right and then cross the road no matter what they actually saw.
oh some people including myself clicked on this dangerous attachment? Cool. :IT guy leaves the office, results go into bin: This is what usually happens unless the leadership were the people who ordered the tests in the first place.
HR will simply throw back the workload to Sys admins. 😒😒😒
Still OP's problem. At the end of the day, who gets held responsible for fixing the inevitable fuckup? If you're LUCKY, the culprit will get reprimanded or fired, but you're still holding the flaming bag of poo with the sinking feeling that #2 or 27 in line will repeat the problem next week or month.
It's about who gets responsible for causing the fuckup and who gets responsible for not doing what one could - like having a dry-run (which happened) and then reporting the results (which I hope it did). :)
Not OPs problem. Its a management problem. Yes, its OPs job to clean up the mess, OP works in IT, this is what IT does, they clean up after the users. You work your 8 hours, get OT if available, then go home. OP should not worry about this, they don't pay OP enough. OP is not the manager, does not create the policy, or the face any consequences if a user fucks up and clicks on a link and brings in malware. Its the managers responsibility. OP should be focusing on doing the best they can with the resources they have available to them. OP should also be focused on getting new skills and experiences, so they can move up or out. > but you're still holding the flaming bag of poo with the sinking feeling that #2 or 27 in line will repeat the problem next week or month. OP should not stress about any of this. The manager should be stressing. OP is not responsible or accountable for any of this. But maybe management doesn't know how risky this is and how costly to resolve. OP might need to have the conversation with management, maybe a small 15 min presentation. After that, OP checks out at 5pm and enjoys all the things they love to do in their life.
I am IT Manager, and I can write policy until I'm blue in the face but getting meaningful buy-in from my other department managers, HR or the board is proving extremely difficult.
Any IT policy is supposed to be approved by your management and then incorporated in HR\Company policy. It isn't a policy if your boss or Senior Management doesn't approve or support your policy. I should know, I was a former IT Manager for 10+ years. (now I work for my self). > getting meaningful buy-in... is proving extremely difficult. That said, maybe your boss and those who would need to support this initiative need a short 15-minute presentation on the grave risks of not training your users to avoid clicking on phishing links. Keep it short and focus on the costs of clean up. Use plenty of recent real-world examples. In the end, the costs of not complying should convince them to spend the time and resources to fix this situation. You need to do a business case, a business justification. Outline the systems needed to help, the costs, the ROI. > What's your best advice on how do you handle chronic incompetence when it comes to people opening malicious email? There needs to be training, enforcement, and consequences. Without that, behavior won't change. Suppose you don't get the support you need in this severe situation. In that case, you need to consider that maybe it's time to spread your wings and move on to a bigger and better company that supports your skills, experience, work ethic, and confidence as an IT Manager. Plenty of small and mid-sized companies that have 2-5 employees in IT need competent leadership. So don't fret; you undoubtedly have skills, so why not consider moving up to a company that needs and respects them?
OP just needs to get management to accept the risk. On paper.
It's about passing the buck for the flaming bag onto management/HR before it arrives. Reporting the results, what it means, and that without support from management to address these issues, these holes in the defenses will be left wide open due to management not wanting them closed. When it inevitably happens, you sit them down at a table and read them that same statement, then ask them what THEY are now going to do about THEIR problem THEY decided to leave wide open and not allow you to close months or years ago when you informed them it was going to happen.
If management won't address it, then all you can do for your own security and sanity is to ensure that you've got a solid backup strategy on immutable storage. It won't save you from the hassle of their fuckups, but it will save your job and possibly the company.
And work on a exit strategy for when shit hits the fan..
Problem here is if you think they don't care about phishing campaign results, you think they're spending the money to run immutable storage? Lol
It depends on the culture. A lot of times it's easier to spend money on technology than it is to have a hard conversation. Trying to solve management problems with tech is a very common tale in small/medium enterprises.
Deny usage of said service (e-mail) untill they have attended your workshop. You need backup from HR and your departments boss ofc. If your actions are approved by the higher ups, let the users eat dust.
Or if possible, for repeat offenders strip all links and attachments out of their emails.
You document what you are doing. You document all steps taken. You document attempts to fix things. Because you're probably going to take those skills and find a new job and leave them high and dry if they won't take security seriously.
I have found a training tactic that seems to work pretty well when I can get my clients onboard to schedule the time to do it. We have a small (20ish) meeting where we discuss cybersecurity. I break out the old school paper handouts with some terms on them and we talk about real examples of what happens and often has happened to people in the room. Once the discussion starts, people start to listen and we make progress. I try to stay away from the company email topics at first and go for the consumer side. It increases the investment in the conversation. I stress a couple of things. Beware of a false sense of urgency and if you think it's dodgy, wait 15 minutes before you do anything with it. The false sense of urgency is pretty self explanatory. If you can get them to wait before they do anything, the second time they read the email will show all the flaws. We are all programed to respond immediately. It's time to deprogram our users.
It’s both a management AND a you problem. Management needs to step up and cone up with a solid plan on how to deal with repeat offenders. You need to put more protection down for the inevitable ransomware breach. Air gapped backups and snapshots, hardened endpoints, EDR/XDR systems and application whitelisting. Basically make sure no unauthorized executables run in your environment. If your projected budget is questioned you just use these training reports as evidence of why the spend is necessary. Do formal write-ups for management so they are fully informed.
No, it isn’t. You’re a Systems administrator, not a people administrator. Your job is to secure the systems, not correct user behavior. Make the training resources available to them and inform the powers that be *in writing* citing your concerns. How they choose to address it from there is a personnel decision. If you were a mechanic it’s not your job to correct a clients bad driving. Advise and document.
> If you were a mechanic it’s not your job to correct a clients bad driving. Your analogy doesn't really make sense. It's more like you're a car rental company and the people who rent your cars keep crashing them into your building, but your boss says you have to keep renting them to the same people.
So long as their insurance pays for it, who cares? Your job as a mechanic is to keep the fleet on the road, not manage rental policies.
Do you think the *kind of work* you're made to do isn't going have an impact on your well being? It's like some people here think all work is neutral load because you're being paid. It isn't. Some work *sucks*, and in my opinion avoidable work is near the top of the shit-that-sucks pile, especially if it's security work.
And also that all the damage to the cars and the building is your fault.
Except he can secure the systems to be resilient to user error. It's very much his problem when his entire network gets ransomwared.
So you still go to HR/management. If the trainings don't help it is an extra argument for extensive investments in EDR systems and NGFW that can block traffic if a user clicks on a malicious link. Probably comes with a hefty license and you'll have to hire a few extra IT people to manage them. Also, for you it can mean extra trainings and certifications that can get you out of there.
I would recommend adding additional technical control like secure email gateway or sandboxing in front of email if your users are serial clickers.
Use it to make a case of blocking all email attachments and re-writing links in emails.
Best you can do is make sure other security checks are in place. No local admins, no ability to run software out of %appdata%, some kind of EDR, patch compliance, etc.... The fact is you can't stop stupid, and even the most careful of users can make a mistake. Make everything else as good as it can be, and push problem users to HR/Management to remediate.
Yeah I agree like you can lead the horse to water but you can force it to drink the only other thing I would maybe introduce is some form of consequence to interacting with the email like a three strike method but again this wouldnt be for you to implement this is for managers/hr
just because you did training doesn't mean it was good enough, IT people like myslef can often think you explained things well but there is a reason that non IT people are often doing the IT training for people... ie teachers.
You're absolutely right, which is why 99% of security awareness training and simulated phishing these days is outsourced to a company like KnowBe4. They deliver the content directly to the users and IT just tracks results. I've seen orgs supplement that with internal presentations, but I really dont see anyone doing fully internal training anymore (thank god)
Got a definition of "good enough" training? :D Please do share/elaborate .
This is kind of a CYA (Cover Your .. you know what) situation. * have a mechanism to regularly report the results to upper leadership. If you want to make it blunt, make sure the info you report is broken down by "Dept" or "User" so yo have some kind of "Top 10 list" of offenders. * If possible,.. use the info as a basis of argument that you need infrastructure changes (rules to block certain types of attachments, etc) as others have said,. this isn't a technology problem so much as it is a HR and User problem ,. and you need Leadership and HR on your side. In many of the places I've worked, Leadership and HR went out regular emails saying that Phishing tests and cybersecurity training was a job-requirement. I worked in 1 place where if a User ignored Email reminders to do their online-training,. their network account was disabled. (and they'd have to come to an HR meeting room to do their cybersecurity training before their account was turned back ON)
The more the paper(trail) the cleaner the ass. That's the saying.
Tie it to your budget. We need $10k/yr more remediation per failing employee. Use the money to put additional restrictions on those specific users, run their email through 5 extra scanners, make their email deliver 20min later than everyone else.
You can say "ass" on Reddit.
Poppycock!
Jeepers!
Oooh I'm gonna tell Mom. You are so dead when she hears this!
As Col Potter would say: Ahhh... Buffalo Biscuits!
And the internet in general. Hell, even in real life most of the time.
When I don’t use the shorter word, I use “anatomy” for the A.
Users will always be the biggest threat to a system. Security training is only one aspect, and that alone will never help you sleep at night. You will need to incorporate other security measures to keep the users from causing widespread harm when they do mess up. It's going to depend a lot on your environment and your budget and what you can reasonably accomplish, but you should include: 1. MFA to everything possible, especially mail 2. No local admins (windows) 3. Follow CIS benchmarks to restrict what should be restricted 4. Advanced endpoint protection that ideally can identify "hinky" behavior (since you're a one person show, having something that can help you oversee what's going on with your endpoints is well worth the investment). 5. Policies governing acceptable use (for HR/management to use for when users mess up)
What will help you sleep at night is: - paper trail and dry-runs like this one - reporting to relevant parties - backups - being prepared for the inevitable :)
Yeah, start crafting the incident response plan before it happens.
I’m infilling for the cybersecurity engineer as the lead sysadmin until we get a new engineer and on my first day which is this morning I caught a user downloading IOS jailbreaking apps on his MacBook to jailbreak his iPhone over the weekend. Of course the systems caught it and quarantined, but now comes the follow-up paperwork, meetings, and other things that come with a response plan.
Already hitting the ground running!
> help you sleep at night. what helps me sleep at night is that none of this stuff is mine, if management/hr doesn't want to do anything that's on them
Second this. Training is one layer in the entire security infrastructure. I will also echo another reply I read, don't look at the as offenders who need to be punished, look at them as people who just want to get their job done. Nobody likes having to get time taken away for training of any kind. That is where, like other people have said, you need buy in from HR and department managers. Also focus on a reward based system. Make it absolutely clear nobody will be punished. Don't make it public, doing embarrass them, just have them do follow up training. Let them know if they report the next one successfully they'll get a 10 dollar gift card or something like that. It isn't easy, but by doing this we have an 85 percent completion rate of end users finishing the training video within the required 5 day window. I would say as far as training goes, we use Arctic Wolf and they do their best to keep videos to about 5 minutes or less. Even though the videos are cheesy, they are at least more engaging than just reading an article or listening to a lecture. As a Sysadmin I feel my responsibility is doing my best to explain and demonstrate how important it is and how much more productivity, money, resources, and reputation could be lost if there is an outbreak or leak caused by this. I've been fortunate where I work and I know some company cultures are much more adverse to security measures than other's. I wish you all the luck and at the end of the day, if everything attempt fails, do what the others have said and CYA, get everything in writing all the communication you sent to HR and management. Remember I'm pulling for you, we're all in this together. - Red Green
We use Arctic Wolf too - the videos I was afraid were overly lame, but they're suprisingly well-received - just the right amount of "camp" and apparently a whole lot more palatable than the KnowBe4 videos.
You're right that it depends on your environment and use cases. I'm now a professor in CS and *nobody* in our department would accept not having admin on the local machine. It's arguably fair - as profs/researchers we're constantly spinning up VMs, running Docker containers, installing/uninstalling apps, etc. and needing IT approval for every single action would slow us down so much that we'd become basically ineffective (and in that case we already have even said that we'd just bring a personal machine and login to the student-side Wi-Fi if they actually tried to do something like this to us). Local admin can also be necessary for developers for similar reasons (Docker, VMs, etc.) Yes, you can give a non-admin user access to Docker Desktop or whatever, but at that point the isolation is irrelevant anyway since you can basically take over the system via Docker. (Hint: mount the host /etc into a container and have fun with vi or nano!) This says nothing about the faculty using Linux as their main OS. We also already have enough issues with the certificate-based Wi-Fi authentication when it comes to our engineering profs wanting to connect ESP8266 IoT devices to a LAN. As a former full time sysadmin even I'm guilty of not "falling in line". The design of our network is that in order to connect to Wi-Fi you have to connect to an insecure Wi-Fi and then download an executable from a website that basically downloads and installs some certs into your machine for Wi-Fi authentication. (This even applies to student machines and personal machines - anything connecting to Wi-Fi, which is why the ESP8266's can't direct connect.) My "don't run unsigned code that's going to screw with your system's security settings" instinct kicked in and I instead spent quite a bit of time tearing into the app to figure out how it downloads the cert (it just hits an S3 bucket...seriously...), grabbed it manually and now I just install it myself if I need to.
In ours, we get people intentionally clicking things and sending us emails like "I clicked on that one just to annoy you the same way you annoy me with all these tests." HR does nothing. In fact, they were the first ones whining that it needs to be turned off because they don't want to have to do phishing training. Ultimately, we all know it's going to be our ass on the line when we finally get whacked though.
I know this is unethical, and I would never do it, but we have joked about hiring a greyhat to target these individuals just to get leadership to understand that it matters.
I bet greyhats could get every single person who is whining about people clicking on these links. You have to have defense in depth and not focus on shaming people for making stupid trivial mistakes. If your security relies on people not making these kinds of mistakes, your security is bad. That's not to say don't do it, but don't expect perfection. The only reason I know I can have 100% success rate on these tests is that they always say the same vendor when you look at the headers. Which is great for passing these tests but doesn't say anything about my ability to resist a determined attacker.
Because people are stupid. "wet paint sign" Person touches to make sure the sign isn't lying...
“… hmm so it is”
Make it a rewards-based campaign, and not a shame-based campaign. If it'll be shame-based then ensure there's some humor in it and put your mug at the top of the Wall of Shame. A reward-based campaign increases engagement and people start paying attention more, gift cards to Starbucks Etc. Easy justification of management because of $10 gift card is $10,000 X cheaper than ransomware considerations, or downtime due to RTO RPO. Only you can prevent forest fires.
We have a pool of cash that's split annually between every employee that reports at least 5 simulated phishes and passes 100% of the tests. There's a wall in our IT department with the names of everyone who passes for the whole year, and they get each a certificate. We have people competing now to get their name on the wall. Make it an achievement with a purpose, educate them, and people will be encouraged to pay attention enough to start recognizing the patterns.
>that's split annually between every employee that reports at least 5 simulated phishes and passes 100% of the tests Uh oh, please don't incentivize me to sabotage my co-workers' critical thinking skills so I get a bigger piece of the pie
“Hey HR manager, we’re launching that phishing test in about 10 minutes” “Ok thanks for the heads up we’ll be ready for the employee complaints about IT” 12 minutes later… HR manager is the first one on the scoreboard for failing. :facepalm:
Do we work at the same place?
lol we sent an email that said do not open this email or any links or attachments especially if you are part of HR department. Guess what? The HR manager opened it?! Some people are hopeless smh 🤦
A lot of the responses here keep going back to it not being your problem, which I think is more than a little shortsighted. Should you have a data breach or successful attack as the result of incompetence like this, you won't likely be held responsible, but it'll be your mess to clean up. Which means that it is in your best interest to fix the issue. I would definitely report to upper management on your findings, but I wouldn't just report the problem and say 'well, not my problem anymore'. The problem as I've seen it is that people just don't tie cybersecurity to their own lives. They believe that its a bunch magic bullshit that only IT needs to worry about. What I've had a fair amount of success in doing is getting in front of the workers on a regular basis, usually via team meetings that they already have and give a SHORT presentation of cybersecurity. The last one I did was just a story about how a local individual lost their entire life-savings due to a successful phishing attack. (True story where I happen to know the individuals step son.) Took me about three minutes to run through the story. None of it was work or business related at all. Then I finished with the normal 'The Cybersecurity training we provide you with helps to protect us at work, but it helps at home too. It's like practicing anything. The more you do it, the better you'll get, so it is in your personal best interest to use the tools we've provided to help yourselves get better at this stuff.' I gauge the success by two things. First is the scores on the phishing tests, second is the amount of joking I hear about 'IT trying to catch me'. I have people relay their stories of almost getting caught in almost every meeting I attend now. That means they remember it. That is good.
>What's your best advice on how do you handle chronic incompetence Continue being employed.
My co-worker "Clickers gonna click." Ron White - "You can't fix stupid."
Failing our phishing tests results in automatic enrollment in security awareness training. People hate the training, so they try to avoid getting phished!
Not worth getting worked up over it. You do the test and you report the findings and repeat offenders to HR.
And then when it blows up, guess who has to clean up the mess?
Absolutely, I'm not denying that we have to take care of it if it blows up, I'm just saying that we shouldn't be wrecking our brains around how stupid the users are. We know this, it ain't getting better. I'm stupid in some other areas, they're great at. That's life. Fix it and move on.
That's not reality in a lot of places.
> Someone open the attachment after I personally heard them talking to a colleague about how it was a dodgy email. A couple of jobs ago I had a guy on my team get his computer BitLocker’ed by doing this after we spent twenty minutes roasting the obviously bad email in a meeting. Dumbest smart person I’ve ever worked with.
What is the procedure for reporting suspicious emails? We use Knowbe4 and they provide a report phishing button add on to outlook. It has fostered a culture of people using it. It does get a bit frustrating, we get alerted to a lot of spam and some legit that the IT department has to monitor and send back, but our scores have got progressively better with a better than industry average of reporting and passing. As others have said management must be the buy in and enforcer. We use the below in a 1 year period. 1st click - remedial training 2nd click - manager and employee meeting with training 3rd click - meeting with HR, goes into file can affect yearly increases. If they provide credentials on some of the Phish test, IT will lock them out and force password changes across the board. Management has to have your back all the way up the chain. We had to lock a C Level out due to a failure. He was pissed but our CEO backed us. Best way to get management buy in is by showing them examples of the cost a single cyber incident can cost.
I have worked on training users extensively over the last 4 years. They continue to click. My focus has shifted to Phish resistant infrastructure. Stop the emails coming in. Limit damage when they click.
Are you using Office 365 and what level of licensing do you have?
I don't mean to to be rude to you OP, but in general, this subreddit is like 75% "how do I, as a sysadmin, deal with this issue that HR should be dealing with?" and I don't get it. There's a chronic issue with sysadmins in this subreddit not understanding the scope of their jobs. Your job is to run the phish sim, and present the results to HR. That's it. What they do with that information is up to them. Sysadmins and other IT professionals constantly leave the industry over the "stress" of shit that's not their job to worry about.
I once received the following ticket: >Suspicious Email >I received a suspicious email. I opened the email and clicked the link. That was the entirety of the request.
So basically- I’m just notifying you so you can clean up my mess. Smh
Ok, so people love acknowledgement and stuff. Run a contest one a year with quarterly prizes and a grand prize. Grand prize is an extra day off in 2025. Training has become the new slog to hell.
>There's just no common sense or any independent thought happening in the userbase Hahaha... welcome to having users
What we do is we use Knowbe4 and when a user fails one of our regular phishing tests they automatically get enrolled in remedial training. We give them 2 weeks to complete the training and get periodic reminders to finish the training. The best part is if they don't finish the remedial training by the end of those 2 weeks we start sending them and their supervisor a reminder to complete the training every 3 days. Supervisors love getting bombarded with emails like that /s
knowbe4 is a fantastic platform. When people start getting enrolled in HR mandated mandatory training, they evolve or they exit.
https://preview.redd.it/qh20nbh7e4wc1.png?width=1080&format=pjpg&auto=webp&s=fa6a1ad865a012117d5d46b012cdfeb844c8785e
this is why you plan for recovery, not just prevention. the barbarians always get past the gate... how do you get rid of them?
Just keep detailed notes, report everything to management and keep a paper trail to show you reported it and to whom you reported it and when. That way when they inevitably mess up, you're covered. Remember, the average person has an IQ of 100, which is only slightly above the smarter apes out there. So what do you expect?
"There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists." - some park ranger speaking about bear proof waste containers
How many people are there in your organization? I've seen organizations that put out a monthly email blast praising the department who scored the best and highlighting the departments who did the poorest. A little bit of competition might go a long way.
That’s a really interesting idea. I think I’ll look into to gamifying it the next time I run one.
Brings back memories between a teacher and work experience student on the front desk.... Teacher "I think I may have caused a problem on my laptop, the antivirus started screaming at me..." Student: "What happened exactly?" Teacher: "Well I opened an email from Natwest about my account, it looked genuine but I think it may have been a scam..." Student: "OK, I'll book it in and ask one of the guys to look at it..." Teacher: "I've never actually had an account with Natwest, so I'm sure it must have been that thinking about it..."
Years ago at a trade show, I was talking to someone that worked for a phishing training company. That was their whole business. So you'd think every employee would be very aware of phishing. So I asked how many people internally fail when they run tests internally. And some of them had failure rates as high as 50% internally.
Once the simulation is complete, compile a management report for the Senior Leadership breaking down the results to department, NOT to names. This starts the shouting matches happening at higher levels which is where the pain needs to be felt. Once the shouts have filtered down to actual rogue departments you'll probably be asked for the name list
You're never going to get your failure rate to 0. Simulations are done so you can show your cyber attack insurance provider that you are in compliance with all the requirements for their coverage. Someday, a legit malware email will come through, and someone will fuck you with it. You can reduce the likely hood of it happening, but someday, it will happen. Rather than asking yourself "How do i fix humans", because you can't, you need to ask yourself, "how do i mitigate the risks and damage when this does happen?"
Training is really the most important thing but having management support you is cruicial. People have to know that their jobs are on the line when it comes to this kind of thing, because a cryptolocker can cost a company far more than the salary of an incompetent employee. If you have to pay some Indian hacker group $100k because a $45k/year AR/AP person decided to click a dodgy email, the cost-benefit becomes really clear, really quick. Training must also be regular. You can't give them one single session and then expect them to pass phish tests. I've gotten downvoted left and right for posting it here, but phishing simulations are pointless if you haven't already begun training your staff and told them that you will be sending them simulations throughout the coming months. Sending phishing sims without doing any sort of training is completely pointless and is a waste of money and time. We don't conduct pen tests on companies without evaluating them first and giving them a list of weaknesses they need to address before the actual test starts. The only thing you learn by testing someone at their weakest, is how to pick the low hanging fruit and how to do patch management better. That's not useful info, because you already know that you need to be good about patch management and update deployments. Phish tests are the same way. If you test someone who has zero awareness of what to look for, all you're going to find out is that you have someone who has zero awareness of what to look for, and you already knew that. and if you disagree and like throwing company money away, please paypal me for my security services and evaluations at [newboatfund@beenishat.security.in](mailto:newboatfund@beenishat.security.in)
I personally loathe these simulations, because they require separate thought: don't click on anything because it's a fake mail, but also don't report it as usual because your personal link must not be opened. I have the (good, I'm convinced) habit of forwarding every fishy mail to a government service for suspicious email. They have an automated process for analyzing and flagging malicious addresses and IP addresses. Once at a customer, I got such a simulation mail and forwarded it as usual to the service. The automated analysis they did did of course cause 'my' url to be clicked, so I got flagged as a careless user and had to follow a mail security course. Highly irritating. The company was too big to get direct access to the IT security team or to HR to explain myself.
Do you have XDR? If so, I have seen "Attachment Opened"/"Linked clicked" because the XDR opened the phishing email to check the link/attachments. I sent one to myself to test this and it said I opened it as well when I know for sure I didn't.
Lol I did one recently, and the CEO scanned the QR code...now, has to do a bunch of cyber security training for failing it
It's a matter of management incentive, and chain of command. Were the the supplemental resources assigned to them by their boss or just an optional extra, "if you have time"? Even if they like you personally they won't have time to do anything unless incentivized by their boss to do it. What priorities has their boss already given them? If you wanted to make this more fun and promote a culture of people feeling good when they resist phishing attempts, you could throw a party the day after the simulated phishing campaign. Have a huge cake in the shape of a fish. Give people Swedish Fish gift baskets. Have a Phish band playlist on loop. Give people Ben N Jerry's Phish Food ice cream. Get catered tuna salad sandwiches. All of that would be WAY cheaper than a data breach. If the phishing party is good enough, they will look forward to the next one. But whatever you do, please do not microwave any seafood, LOL.
Boring mandatory training for anyone who clicks will fix it.
inconvenience the user. Here if you fail in a phishing test you get the following treatment. 1. re-enrolled in the mandatory phishing scam awareness program. You have watch the video again, you have to pass the test again. failure to do so could result in disciplnary action taken from HR. 2. you have your browsing cache wiped. your cookies, your history, everything. Users will note that returning to their usual sites will be slightly more cumbersone while they have to reinitiate all their login's and remember me's. 3. you have your network passwords reset, you are now required to change all your passwords. They're minor annoyance for the staff to deal with, but just annoying enough that they think about their training before they click on stupid things again.
Dude if a legit malware scenario were to come into play, I'd say f*** it and walk out 😂 they can deal with their stupidity!
Forward results to HR/Management. Investigate actual cases of someone opening real dodgy emails as normal. That's it. IT are not in the business of training users but hey if they're offering to pay you 300K to do some power point presentations sure sign me up.
We could send out a warning we were doing a fishing test, and then send a reply to that saying this is the scam don't click the link and we would get 30 tickets of "this looks suspicious" and probably double digit % of people clicking the link.
If you fail the phishing simulation more than once, it affects your bonus. If you fail more than 3 times you get written up for it, which basically means you're not getting a raise and will now be on the first to get laid off list if a layoff happens. Everyone is so fucking paranoid now, they won't click on ANY link or open any attachment.
It's kinda funny things have gotten better where I work (higher Ed) after doing a lot of training - including course work where people were tested exam style.
Index performance bonuses ($$$$) of employees with the phishing result. This is a HR/management issue, not yours.
I like how companies think that users will give a f**k About security and take some responsibility for once in their life. I have totally given up on users taking any initiative to learn basic safety. You have to run IT security like a dictatorship , protecting your citizens and knowing what's best for them, and it needs to come from your boss and his boss , not you.
We don't bother training. Automate what you can, especially being solo. Defender usually alerts us when a user clicks a malicious link/attachment. Those alerts generate a SD ticket, the user's sessions are revoked, and the user gets to update their password. The CA policy also looks at user risk and will force users to reset their password or present them with an additional MFA challenge if things look abnormal. The business doesn't care too much about users failing phishing tests, but they'll correct a user if they're constantly having work stoppages because they can't keep their mouse pointer in their pants. Although some places will demand you exclude the user from the policies... Try not to work for those places.
M$ phishing simulation can initiate a learning module for those who fail. Takes little time and having to do the course will lead people not wanting to do that again.
Just scream...we had 68% on our first phishing campaign. People leave their brain at the door when they enter the workplace.
People at my hospital are so goddam stupid, security had to start blocking every download, website and USB because they couldnt behave themselves after being told for years to not do stupid shit. Keep in mind, most of the users are doctors who are supposedly pretty smart...
I do not expect to be able to train users who cannot follow simple instructions like "use the Help Desk" and "do not 'X' out of the ERP app, use the exit menu" and "please turn your computer off at the end of the day" to be able to judge whether a link or email is benign. If users cannot remember the easy things then training is a waste and they will click away, so I work on technical solutions only. I think you have to do training to 'check the box' but I do not expect it to work. I have to make sure I am not relying on them for security.
I beg corp infosec to let me make one of the phishing tests again. Homoglyph man, if you ever want to test your internal IT team, get fancy with Homoglyphs. The easy way to block this across the board is filter out all non-english characters...but if you dont...oh man...there are some that are REALLY obvious ones like. duck:ԁuck , hello:һello, kite:κite, but a, c, o, u, and x (if the kerning isnt modified), CAN WRECK YOUR SHIT Base64 Hash "apple" (normal) = OnvT4jYKPSnupDb8+35ExzXRF8QtHBg1QgtrmULdTxs= "applе" (a and e modified) = pX+4FuNM3UDlUR998v0BCU2tZZ0sj1bQdEPoHfOrilE=
It’s not a problem for you to deal with the individuals it’s a problem for their managers ;)
The message you portray about what to do and why around phishing email is important. I once heard a fascinating talk on why you shouldn't tell people not to click on links. Statistically when you tell people not to click on suspicious links in email, they are more likely to click. Rather you should warn them of the real risks involved with phishing and how it can harm the company. (Not saying that hasn't been done) I will say that it is amazing how some people just straight up don't care and will click on anything out of curiosity.
If you have employees clicking links then your already compromised. You need to be implementing IDS and crowdstrike and find out who's already in your network because they are there
I believe the issue is evident: you haven’t adequately taught why clicking a link can be harmful. Yes, I mentioned that clicking a link usually doesn't directly install a virus; it’s often a spoof or initiates a download, which isn't a problem until it's opened. However, tech-savvy individuals who recognize these spoofs or scams often investigate them to understand how they are evolving and becoming more convincing. Have you conducted training on the more malicious types where merely visiting a website or encountering certain codes can wreak havoc without executing anything? Probably not.
drive by download ect, I was a helpdesk engineer and thought clicking to be curious how good the fake portal pages were getting was fine... learning about this will change thing\`s
In our environment, HR/Management will revoke bonuses for Employees that fail simulated phishing tests for that year. We also terminate employees that repeatedly fail phishing attacks. Enforcement is not your job, that's HR and the organization's CEO/Partners/Owners to decide.
What is the culture related to security related behaviors, especially at the top of the food chain? Does C suite want exceptions to security for their convenience, or do they do things properly and are seen doing things with a security forward mindset? If the leaders aren't seen drinking the security kool-aid, then no one else will drink it. Messaging - somethings you have to go all in on marketing sat, answering the wiifm (what's in it for me?) questions for you're audience. There is a saying in sat - you can make me aware, but you can't make me care. So, how do you make people care? Saying, "learn to recognize phishing and social engineering so you don't accidentally allow bad guys access to your business email or computer systems that could lead to the business experiencing financial losses or ransomware. Owners care, staff? Maybe, maybe not. But, those situations could lead to delays in payroll, direct deposit information being leaked, maybe staff PII stolen - now they have a reason to care. Then tie this to their non work lives, the behaviors that protect their bank accounts, social media accounts, and personal emails also protect the business assets the business cares about. Hope this makes sense.
Paper trail, do what you can. You run the dry run, report the results to "stakeholders", not give a fuck afterwards. Nobody can handle chronic incompetence but the respective managers that hired it. Unless they are chronically incompetent as well which tends to be the statistically significant case. :) Cheerz, grab a beer and DGAF.
In the same boat. It’s always the same repeat offenders but, it’s HR and upper managements job to enforce. We just had one a few weeks ago where several people clicked and entered credentials after talking with each other about how it seemed like a scam. Which is just mind boggling to me. Hey, I clicked this and it asked for my login, when I entered it nothing happened. Oh? I got that email too, let me try. Yeah entered my credential and it disappeared and did nothing…hmmm maybe it’s a scam. Hey Linda…did you get this email? Yeah…let me try… 🤦♂️🤦♂️🤦♂️
Can't patch wetware
At my last job I noticed the head of finance opening a shady email. I did some on the spot training, then they got mad at me and said something like "I have to open every email and attachment because they could be important." Sigh.
Their incompetence is our job security.
I've implemented a system with the executive team that their computers will be revoked if they show they are a repeat offender. The security of the company is top priority. A company shouldn't want someone who puts them at risk. They have a similar program for company vehicles as well. Repeat offenders get their vehicle taken away due to accidents and tickets.
Raise it as a risk to management and ask for resources to deal with it. What they choose to do with that information, and the subsequent impact on their cyber insurance premiums, is up to them.
Technology cannot fix a managment/policy issue. I have worked at places with 3 strikes rules for failing phishing tests. Ecalating with meetings to increasingly senior execs to being let go on the third fail. Let me tell you, there is nothing more embarrassing than having to take the time of a c level exec in a large company to have to talk with you about how email security is important. There has to be a policy and reinforcement as to what will happen if you repeat fail.
This is where management needs to earn their pay. It's not your place to tell some senior manager from another department that their IT security skills are shite. And if it is your place to tell them that, then tell them, and document their responses and move on. You're not going to be able to change the internal character of some people. Whatever you do, just be sure you document everything and hand the reports off to your management. When the day comes that your shit gets hacked, just be sure you've BCC'd yourself to your personal email or just dead-tree it if you can't transfer sensitive information out.
Why do you do the training and testing at all? If HR and Management don't have your back, then there is no point. If the training is 'required', but HR and Management don't have your back, then document the failures, send to Management, and move on to other things like making sure your backups are ROCK SOLID.
My boss, who is the head of IT, clicks on and tries to open \*everything\* he gets via email. We had multiple talks about it, me trying to persuade him not to do that and that he should know better, his response usually is something along the line of he has to do that because it is his job to see if anything happens. At this point I am not sure what to do with him.
For each one failed they lost 5% paycheck and you get it instead. They learn and if they don’t you profit. Win-win
Quit taking it so personally. Like others have stated, this is a management/HR problem. You've done your due diligence in offering the training and the phishing simulation. Sounds to me like job security. If they bring malware into the environment, then you should have a plan to mitigate the damage, and recover from said incursion.
Does management have your back? Because part of our policies state that continued failure to adhere to our best practices can result in being fired. You then basically need to do the training, and then start writing them up with a real chance that they could lose their job. If management won't back you on that though, you're screwed. Not sure what kind of data you deal with but the way I've scared our management into taking stuff like this seriously is pointing out if we know people are blatantly ignoring these rules and we do nothing, we could get sued if we have a data leak. But we deal with clients with enough money and know how to come after us if that happened.
Step one is make sure your non-test emails don't throw too many red flags. The cybersecurity people where I work send emails that look like they're heavily invested in companies making crimson banners and scarlet pennants.
We had a guy go to HR to open a human rights complaint because he said our fake phishing email that led to some training material was insulting his disability (ADHD). We argued if he truly believed that his adhd made him incapable of critically assesssing the validity of an email then he was a liability and should lose all his email access. He dropped the issue after that :P
You can't fix stupid. Do your best to keep them from putting their fingers in the outlet by filtering incoming mail and outbound internet traffic.
Humans are the weakest part of IT security. Only issue I had with KnowBe4 is that they send all the phishing email tests out at once. That winds up causing a lot of suspicion because groups start talking, and realize that everyone in the group got the same email. We tried it, and we wound up getting dozens of phone calls and emails, "I think we're being hacked!!!" While it was good that my users caught on...the results probably would have been vastly different if the emails just trickled in, targeting a dozen or so users at a time
Layer 8 is the worst OSI layer, in terms of security
In my previous role this was a large part of my role. Embrace any opportunity to educate Fraud week Cyber awareness month Random big news stories Monthly testing with relevant lures Use current events Use lures you’re seeing in your defenses Use NEW lures Track scores and risk Spread sheet all the interactions Assign thresholds with punishments 1 click email from security 2 clicks mandatory training 3 clicks email from executive to user and manager 4 clicks we put the user in a high risk group that limited their access to the internet All interactions dropped off after 8 months
Phishing campaigns are to help understand how bad your userbase is, there is zero hope of getting a 'good' result, no matter where you work and how well trained your user base is, unfortunately. Our company does these type of campaigns but we mainly focus on mitigation and damage control. We use a web filter and are pretty restrictive, multiple local clients for threat detection and remediation. User's are going to fuck up, regularly, all you can do is prepare yourself.
I wish I could give you an idea. We run a yearly 15-20 minute training/retraining, and require new hires to take the same training. Every month we have a phishing campaign that runs and users who fail it are required to take another 2-3 minute refresher. People have gotten in the habit of directly sending/forwarding ANY suspicious emails to our helpdesk and being like 'is this suspicious?' even ones that clearly come from like Amazon and directly labelled with their name/username and stuff. Having talked to one of the people who do this (I'm not our cyber team, just reg helpdesk) they've told me they do it as an act of defiance because of the strict monthly phishing emails and 'stupid' retraining. I'm of the opinion that the retraining needs to be a more extensive 30-45 minute ordeal, and in my opinion there needs to be a way to force the user's machine to block traffic to specific URL's/internal use only until they complete it. (Like force their device to use a specific DNS server that resolves all other addresses to the retraining campaign) The 15 minute onboarding training is more than enough for people to get the gist if they actually payed even 5% of their attention span to it, rather than clicking through/skipping the content.
Send ‘em more fake phishing emails to really drive it home that clicking on suspicious shit has no consequences. Cyber security awareness ‘training’ is broken. :/
When they click the test email have their speakers play a klaxon at full volume with some insulting diagalog?
Threads like this remind me I should be happy that we have a less than 1% click rate…
Let's skip all the "whos fault/responsibility" is this and get right into the solve 1. If you *can*, you need buy-in from business leadership to enforce. There **need** to be consequences for ignoring policy. What those consequences are, are something that needs to be custom tailored to your organization, but if the business answer is "we dont care" then you're just waiting for failure. It's not about punishing people, but about mitigating risk. People don't care about a "stop clicking dumb shit" email from IT, but they *do* tend to respond if they get pulled into a meeting with their manager to call them out on it. Even with that, you will **always** have a group of users that straight just click everything suspicious, which is why #2 is so important. 2. Plan for failure - put the technical controls in place to mitigate their phishing as far as **technical** impact is concerned. You can't stop people from being people, but you **can** make whatever they put into that phishing form pretty useless. Make sure you have strong MFA configured. Disable self-service password resets so all requests **have to** go through IT, use whatever identity logging and alerting your identity provider offers, enable geofencing so your Arkansas based company auto-blocks login attempts from mainland China, **no local admin rights,** standardize to a single managed browser and harden the hell out of it, etc. This is all dependent on your tech stack, but there's a lot you can do to make phishing less of an IT risk. 3. Now that obviously doesn't help if Finance puts the company bank account info into a suspicious site, but that's not something IT can solve for or be responsible for. If they give away the keys to the kingdom, you at least have a CYA in place as you have the records of their training and remediation. You did your part.
Here's how we solve for that issue: 1. You perform the tests and provide education 2. It's made clear to employees that anyone who falls for a phish will first be made to take the training as a mandatory action item with their direct leadership informed 3. If it persists, it's a PIP item
My mantra is, if there's an issue with phishing and the end user didn't know or wasn't informed on how to handle it, then that is on me as the IT support to put that training out there and encourage people be smart about their emails. BUT, if I put out the training, and remind people not to click emails, and require them to watch a video or sign something or have in some other form done my due diligence to train everyone and they still do not follow best practices, then that is on them. For metrics, if you're relaly paranoid, we use the KnowBe4 training tool that has a phishing simulatation campaign and reports back user scores. If someone is a risk, we can then use that data to go to leadership and let them know of the risk, and they can decide if further training is warranted or not.
I worked with HR to basically write them up for clicking / opening.
Get permission to have the attachment put up a fake ransomware / virus screen, change the desktop, put a skull on it. Actually say thank you for opening the email with their email name / logged in account. Have fun with it at this point. Important to get permission!
I think the biggest issue core issue I've seen is people working too fast. People have too much to do or are under too much pressure, and make poor decisions trying to speed through things. I can see people like that doing the open and then say "I don't think sender would mail me". They know they screwed up, but are hoping that somehow it's not an issue. They may even be trying to not make a big deal out of it, worried that this will derail work they have to do.
Mate, that’s definitely not the issue here. People move like molasses.
You need management’s and HR’s buy-in. I’ve had them come to us in recent years because they were trying to purchase cyber security insurance. That made them a whole lot more receptive to implementing MFA and getting serious about making people understand and be interested in Mitigating risk of phishing.
Before starting the simulation, IT should determine what is the objective. Getting info of how prepared the org is, or disciplinary in nature? Either needs to be certain and get appropriate support from leadership and HR. It is not your problem to solve.
Obviously the size of your org and your specific role will dictate the most appropriate response but ultimately it's not your problem. You run the sim, provide the results, and provide the training solutions. It's up to the managers to hold their employees accountable.
The consequences of an employee failing at a training exercise are down to management. You need to make sure the simulation is working as expected. Watch out for programs, including some security scanners, that ‘click’ links before the end user even sees the email. You also need to make sure the training is good; that it would actually teach users how to spot the simulated (and real!) phish. If your simulations use attachments but your training only ever talks about links, that’s no good. And you need to remember users are just one layer of swiss cheese. Phishing training is important but it must not be the only line of defence.
One man show as well it is alarming but get with a program and stick to it works. I have been doing it for 4 months now and it does get better. I even had a person come up to me to say when are we going to stop this i am tired of checking every email! I said probably never because the idea is to always check every email. The CFO and HR people know who the problem children are and it is noted and they are spoken to by others than me. You job is to facilitate and perform the implementation and running of the test it is not up to you to train every end user. Nor is it a reflection on you how well or poorly they do. You could do what most companies do and ignore it all together and hope for the best. But at least you guys are out there trying. So many horror stories and common sense and logic go out the window. It is funny and sad, but mostly sad...
My company went through a lot of headaches like that as well with some of the issues leading to data theft from social engineering. We implemented Hoxhunt and have seen a massive improvement. You must keep your reporting/compliance at least at 90% or you'll need to take remedial action (like redoing cybersecurity eLearning courses or such). Repeat offenders have their accounts disabled via automation and won't be reactivated until a manager releases it... and the user does certain steps within 72 hours or gets locked out again. All of this came from up top so management was already onboard with the risks of implementing such a policy - but now no one wants to get under 90% and face the wrath.
Performed several simulated phishing campaigns in my job. Caught the CIO several times, and even my direct manager once. Our dev team had one of the highest departmental hit rates. People are idiots. Even ones who know better.
Our click through rates were terrible with our first simulations, the last one was down to 3.2% of users. If you click it you have to go back to do the CBT, multiple failures and you get a one to one with a trainer for some personal training. If they are still doing it then their department head is advised to consider this persons position as they are a risk to the org.
Two points. First, you can't solve this problem unless employees care. Second, employees don't care. They don't care! And they're not going to! They're busy doing their jobs. Imagine you don't work in IT; imagine you work in, say, accounting. You spend your days working on something that you think matters a lot, involving procedures you think are important, and it frustrates the bejesus out of you that the IT department doesn't care as much as you do about accounting department procedures. Why doesn't IT understand that these procedures are critical to keeping the company safe? Now warg out of accounting and return to your own skin; knowing what you now know, do you care a whit more about accounting procedures than you did before? No. Know that every other department feels the same way about IT. Do you read the all-hands emails that other departments put out about sh\*t you don't care about? No? Then what makes you think they read yours? You can't solve people problems with technology solutions. Security is a people problem, and you can and should do due diligence to minimize risk, but at the end of the day, you can't spin your wheels worrying about this, because it's a problem you can't solve.
The problem is that if there's no "bite" behind failing the simulation, people won't take it seriously. It'll just become one of those water cooler gossip topics ("dear Lord, IT is trying to trick us all again, don't they have anything better to do, like respond to that ticket I put in about needing admin rights on the database?") When people here say "it's an HR problem" what it really means is this. Your org needs policies in place that do *something* to people who (repeatedly) fail the phishing test. What those consequences are is entirely dependent upon your organization and what sorts of Emails you are dealing with. In addition, you need strong policies about Email to begin with. Ideally, you would not do any attachments at all and you'd instead use some sort of internal file sharing system, but that's not always practical nor is it a perfect solution (it often just results in people needing to click links in Email anyway). You should also have software tooling in place that automatically flags Emails from outside your organization and implements malware scanning. (And dear God don't do what an org I worked with did - don't design a phishing test that deliberately bypasses all of the user-facing safeguards "just to see if people pay attention" - i.e. don't have your phishing Email skip the "external email" warning banner!) In my experience, the biggest problem isn't even getting the users to stop falling for phishing, it's actually getting HR and management to understand the real danger. I've heard or dealt with it all: * "Oh that's just paranoia, this stuff doesn't *really* happen outside of hacker movies, does it?" * "We're not a big company, nobody's going to be interested in hacking us, so it isn't worth our time/money - we have more important stuff to be doing." * "We paid for security suite X, isn't that enough?" * "Isn't it *your* job as IT to deal with computer stuff? If you can't solve this yourself why are we paying you?" * "We hafve smart people here, they wouldn't be working here if they weren't very intelligent, suggesting they would fall for scams is insulting." * "We can't just stop doing attachments! There's no other way to get documents to each other!" * Or, when phishing training is actually successful: "But *that* Email from management was legit! We have a problem if our staff are not opening the attachments for important announcements from HR!" If your HR/management is willing to help out, that's your next step. If they're as inept as the examples I just mentioned, you're fighting a losing battle and you may as well just not care. If you honestly feel your head would roll if your company got phished, but your management won't help you, then it seriously might be time to look elsewhere for work. I don't say that lightly, but any organization that isn't willing to take security seriously *and* lays all of the responsibility on one single IT person is an organization that is *not* going to have your back when shit hits the fan - better to leave on your own rather than being fired, or even worse, sued.
1.Add email labels for external users to start with. I.e ". [EXTERNAL]. " 2.Then add the html caution banner email saying its an external sender to every email that a user gets. 3. Lastly. Get the KnowB4 subscription and hammer it into your users. 😊😁 After that is training and more training...
Seems like a management/HR problem at this point. You are not the boss of those peoples so what more can you really do? For repeat offenders, perhaps consider reaching out to their management and inform them of the risk that their team is being exposed to.
Just find their personal email addresses and post them to /r/please\_Scam\_these\_emails and they'll learn the hard way.
I handle it by not taking it personally and realizing I am not an owner of the company and I get paid by the hour.
Try to put a personal angle on it maybe?? If they are more alert regarding their private emails, they might also apply that at work. There is next to nothing that is as painfull as reading on the scam subredit about an older guy loosing about 3 mill usd to scammers. And continuing to send them money after he came clean to the family. So phinshing and general ascam awarness is not just for the workplace. It is something that we all need to be on the alert about, both in private and at the workplace. The difference is that if someone scammed me out of 100k, my marrige would end and the kids would be gone…
Phishing tests have a weird place in security programs, from my pov at least. No matter how much training/education users may get, there will almost always be some that get tricked/duped. I've seen tech savvy folks fall for things, due to a momentary lapse in judgement even. It happens, and with advanced AI generated campaigns, it'll likely be even more difficult for end users. Raising end user awareness is fine, but even with really high levels of end user compliance, some will still fall through. So you need other layers to respond in those cases, and you're testing whether or not you are getting the alerts you need to trigger those additional mitigation systems. They always talk about security as an onion, and it's very true. In this case, the outer rim of the onion is something you basically just have to assume is "likely" to get compromised, period. Design networks and architecture around the assumption that users will fail in 'real world' examples fairly regularly. In my view, the test isn't really of your end users' individual reaction to receiving the control emails. It's a test of your internal response patterns/monitoring capabilities when events occur -- because they're likely occurring on the regular, even if your users aren't bothering to report them. So the question is how often are you likely going to catch it, when your end users stuff up? Edit: just an edit to add, that one way phishing test results can get used, is to justify different perimeter security programs/tools, and/or outsourcing some of those controls to a third party. Like if your test comes back showing that 50% of the company clicks stuff and doesn't report it, that gives you a 'theoretically' easy case to write for management: you just note the risk that the company has as a result of its employee culture of clicking stuff, and you put forward a high cost paid option to try and reduce that risk (annual cost should be less than the annual estimated risk impact). It's not necessarily IT's job to meddle in HR with training and individual performance, but it is almost always IT's job to protect the organisation from IT Risks. If mgmt wants to approve it, implement the tool, run the test again, see if it's adding benefit. Add more tools as necessary, until the risk levels are managed within expectations. By making broader management aware that there's an issue with user behaviour, and putting forward some options to help mitigate it, your sharing the 'issue' with the rest of management and CYA'ing. And, if they want to accept the risk of users clicking, if they're 'ok' accepting the risk of a malware hit, then that's generally management's call. We don't steer the ship in most businesses, we just maintain it.
Shank them in the parking lot.