Speakers
Synopsis
This presentation is a refreshed version of a presentation successfully delivered at a AWSN event in October 2022 (https://www.awsn.org.au/eventdetails/15820/phish-your-way-to-building-trust-in-the-workplace-melbourne).
It tackles the problem that many organisations face relating to phishing simulation requirements from regulatory bodies.
Some people think phishing simulations are a waste of time and are not effective. Some companies will do the bare minimum as required to meet their regulatory requirements, and will have the simulations being run by their Security Risk team or a technical team.
Other companies are well on their way to taking a more positive behavioural approach.
I explain in this talk how you can use phishing simulations effectively, as part of a holistic security culture program, that integrates into a broader security strategy.
Many organisations run simulations in a traditional way, measuring click rates, with punitive actions if employees ‘fail’, some insensitive, ‘tricky’ template choices, and there are examples where this has gone wrong and had reputational consequences for the organisation (news stories e.g. https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test)..)
This leads to a breakdown in trust between employees and the security team. I talk about some of these causes, including a lack of empathy for the end-user, personal circumstances not being considered (e.g. sending out bonus emails for large amounts at a time when people may be struggling for money), and the power imbalance that occurs when employees receive an email purporting to be from their manager/company asking for a specific action, often urgently.
However, it does not need to be this way.
I explain how the industry needs to move away from the big-stick approach that may have been popular in the past in some organisations (using ‘click rate’ as the primary metric – a negative behaviour) and instead focus on ‘report rate’ (a positive behaviour) as the primary metric.
It is critical for employees to feel safe to raise security concerns, and to know how to do this, and a well-designed phishing education program can amplify this for your organisation.
I talk about the types of templates that you can use that will still engage your employees but will not make them feel tricked if they click on a link.
I cover, at a high level, what you need to consider when setting up and running the simulations, the teams to collaborate with, and what other work you need to do to support the positive reporting behaviour transformation. This includes communications, reporting mechanisms, metrics, stakeholder management, and more.
