5 Things To Know Before Phishing Your Employees
- Be Empathetic and Wise
- Culture Variations
- Technology
- Location and Timing
- Executive Sponsorship
- Conclusion
Before rolling out a security awareness campaign, I would want some data about my population and how susceptible they are to phishing attacks. Conducting a baseline phishing test will give me some data to work on. Data is king, especially in security.
However, there are some things to consider before hitting send on a phishing test. This article is a simple guide on what to understand to ensure your phishing campaign is successful.
1. Be Empathetic and Wise
If you’re going to phish about topics that include pay, bonus or any other salary-related information, you may want to check with your HR team. They will have some insights you may be privy to regarding attitudes towards pay and compensation. Getting a fake phishing test is sometimes humiliating in and of itself, but if you’re teasing someone about pay and bonus, then it might make them really upset. Upsetting our users is not our goal; teaching them is.
Utilizing just a little empathy will go a long way in gaining our users’ trust and support. They may be hourly staff or working their butts off to hit company deadlines. Having a negative impact could lower morale or put security in the penalty box, resulting in future messaging falling on deaf ears. Our job is to build a security culture: not be annoying or out to get people.
2. Culture Variations
What’s the culture and demographics of your company? Are they a sophisticated culture that may be less susceptible to phishing, or not? These are factors that will determine the difficulty level of your test. Make the test too difficult or easy, and your data may not reflect reality. Take a look at some actual phishing campaigns you may have received lately and mimic those.
Again, your goal is to ultimately teach your users about phishing and gain accurate data, not win a game.
3. Technology
This may be obvious, but if your users are G-Suite users, a password reset email from Microsoft or O365 might not work for you. Be cognizant of the technology at your company.
On the other hand, you may want to do exactly that to gauge the engagement of your audience.
4. Location and Timing
Is your company in just one office or one continent, or is the company global? While it may be 11 am in New York, it will be 7 pm in London and midnight in Mumbai! To increase the chances of the email being opened or even seen, you will want to send the phishing email in the local timezone.
This may require you to create different campaigns based on region or general timezone if your software doesn’t support it.
Remember: you are trying to create a baseline, so anything that will affect the baseline could corrupt your data.
5. Executive Sponsorship
Regardless, some people are going to be annoyed and/or bothered by your phishing tests. It’s just the reality of things. As with almost anything security that is impacting lots of users, make sure you have executive sponsorship before moving forward. They have your best interest in mind and want security to be successful at the company, so keep them informed. They will also let you know if any issues have been brought up at the exec level and be able to remedy them before it gets out of hand.
“Upsetting our users is not our goal: teaching them is.”
Conclusion
In the end, you want to have tested your entire user population with just one phishing email. You’re not necessarily aiming to get them to open all the emails, but you do want to make the emails realistic and practical. You may make mistakes along the way, but your mistakes will have less impact by utilizing the above.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
