How can we create a culture of secure behavior?

It’s a busy day in your company and everyone is rushing around trying to respond to requests. Audrey gets an email that looks like it’s from a partner asking her to look into a recently placed order. She clicks on the PDF to check it out. But instead of seeing the partner’s order, she sees a landing page from the company’s security team letting her know she fell prey to a simulated phishing attack. As she looks around the room, she sees that a few co-workers also have stunned looks on their faces.

If real, such a phishing attack could have put your company’s sensitive information—such as usernames, passwords, credit card details or PINs of your customers—at risk. According to data from Kaspersky Lab, phishers launched attacks impacting more than 100,000 people daily last year.

Despite attempts by security software firms to stop them, cybercriminals are getting craftier by the day. A recent scam, uncovered by security firm Symantec, was targeted against users of Google Drive, which is frequently used by businesses for collaboration. Users were sent a message with the subject header “Documents” and directed to a sign-in page that closely mirrored Google’s. After they signed in, users were sent to a PHP script on a compromised Web server. This page then redirected to a real Google Drive document, leaving visitors unaware that their login credentials had been stolen.

Based on the startled looks of the impacted employees, the mock phishing attack that Audrey and her co-workers experienced jolted the system, but did it make the company any safer from cyber threats?

Simulated attacks can’t stand alone
Phishing impacts thousands of companies each year, but it’s not the only issue they face: malware attacks; physical attacks on company data by workers posing as service personnel; and attacks aimed specifically at mobile devices are on the rise, and are just a few examples of the many threat vectors. The mock phishing attack orchestrated by the company’s security team provides a wake-up call but isn’t the only security education solution the company needs. Here’s why:

You have to worry about more than just phishing. Unfortunately, attacks on data don’t stop at users clicking on a link or document in an email from their laptop. For example, access could be granted through a link the user receives via text or information given out by an employee over the phone. Malware can be downloaded through a mobile phone or by clicking something on a perfectly legitimate website.

It only teaches in the moment. Yes, the simulated attack did its job by creating shock factor, but what’s next? How can you reduce the risk of it happening again in the same or a slightly different way? Do employees have actionable information about how to avoid the next attack?

It does not measure vulnerability to all attacks. If employees fell for a mock phishing attack, will they also fall for other types of attacks? How can you understand the complete vulnerability of individual employees?

As you can see, simulated attacks can provide value in assessing vulnerability but don’t provide the complete answer for CISOs. A more complete approach is needed.

However, one big issue that security officers face is that most employees think they are immune to security threats. Despite the high news coverage that large breaches receive, and despite tales told by their co-workers and friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. Those types of things happen to other, less careful people.

Mock attacks do have certain benefits, however. For example, they can shock complacent employees-even momentarily. A simulation causes some people to realize how vulnerable to social engineering they really are. This keeps them on their toes and improves overall security. Most importantly, it may cause employees to pause the next time they see anything potentially suspicious.

Moreover, it can be a motivator for certain people. After mock phishing attacks employees think “If I’m vulnerable to this, what else am I vulnerable to,” and that’s a win for the security team. Mock attacks can also help break down walls. They can help create a valuable communications channel between users and security and IT staff. It helps people understand that they can report phishing and other potentially malicious attacks to their IT department, even if it turns out to be a false alarm.

Creating the best of both worlds
As we’ve seen, mock attacks can complete part of the security education picture. As part of a comprehensive security education strategy, they become a valuable way to test and measure progress. Employees who are aware of the company’s plan to sporadically conduct simulated events are often more careful overall, adopting a “If you see something, say something” thought process.

However, the overarching goal of any security education program needs to focus on changing the user’s behavior, making him or her less likely to fall for any scheme that will put the company—and its sensitive data—at risk. Mock attacks are a part of this training, but to reach a point where there is a real and lasting behavioral change, a program needs to take into account the entire security picture. This includes:

Understanding different kinds of attacks
It’s natural to focus on how to keep computers free from malware and data safe from phishers, but security training should also include physical security (how front desk staff and other employees should react when an unscheduled “service person” arrives at their door) and phone training (what to do when a caller asks for information that shouldn’t be divulged). These lessons are difficult to teach via a simulated event, but the right training can teach employees to ask questions such as “Can I see your ID?” “Do you have paperwork?” or “Who at my company requested this?”

Protecting different devices
Mobile phones have rapidly become a potential treasure trove of personal data for the cyber criminal. They also represent an easy way to get to end users through social engineering techniques such as fake antivirus, which trick users into paying to get rid of non-existent malware. Android is the OS most under attack; according to a report from security vendor Sophos, since it first detected Android malware in August 2010, it has recorded more than 300 malware families and more than 650,000 individual pieces of Android malware.

Determining if a URL is legitimate or fraudulent
Teaching employees how URLs work is the first step in preventing them from clicking on fraudulent ones even when they are browsing the Internet. In the lower left of most browsers, users can preview and verify where the link is going to take them. Making employees more aware of how to spot fraudulent URLs could help change their actions when they come across those that seem suspicious.

Creating strong passwords
Many users think easy-to-remember passwords such as 123456 are “good enough,” not realizing that weak passwords make them a company’s vulnerable link. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they’ve created is “weak” can help change behavior.

Overall, if a company is going to arm its end users to help keep its data secure, it has to do more than occasional mock attacks. Simulated attacks work best when done as part of an overall security education plan, whose benefits are well articulated and understood, and with the end result being a positive change in employee behavior. In this environment, they can be very valuable to a company, providing data that helps elucidate on the true vulnerability of a company and its employees.