Phishing for clickers

Dr. Christopher Pierson describes the Viewpost project that won a 2015 CSO50 award

phishing
Credit: Shutterstock

How do you roll out a long-term program that is designed to impact every employee, change their security behavior, and do so without dissociating the employee or creating needless churn? With lofty goals of cutting phishing victims from over 80% to fewer than 5% through nearly bi-weekly campaigns, it takes a special team and a special company. That is what Viewpost did in the course of two years!

By engaging our executive leadership team and key stakeholders, by developing a path to security testing and education, and by providing governance tied to key performance metrics and feedback, the team was able to engage not only its leaders and managers, but the whole company in a really unique way. Our objectives were achieved through: (1) transparent governance and buy-in, (2) real testing and education in a friendly but competitive manner, and (3) seamless technology and great people, allowing for program growth and partnership. Let’s take a look at each of these areas.

First, the security team was transparent in its phishing tests, designs, short-term and long-term goals, and developing metrics that tied the scenarios to real-world incidents. By engaging at an early stage the Director of HR, General Counsel, and CEO we were able to ensure that phishing campaigns would not offend our employees, create human resources issues, or create negativity or a “gotcha” syndrome within the company. The company also used its monthly Executive Risk Management Committee (ERMC) to review phishing statistics, repeat offenders, and discuss the effectiveness of the campaigns.

Sometimes, the team would receive a comment to up the game a bit with the scenarios, but yet would show they netted many people clicking. So, we as a team and company opened ourselves to review in a transparent manner and it made not only the team better, but also was successful in achieving the buy-in of those who reviewed these risks.

Second, and most important—it must be fun and a little competition never hurt. Every once in a while you could hear an “Oh, darn!” (or worse) from the open space, sometimes another executive would send us a “No fair!” (and definitely worse), but it became a source of pride escaping the clicking on emails definitely designed to trick people.

How can this be fun, you ask? Game-ify it by engaging every employee to draft their own phishing email designed to lure their cohorts, giving out points based on how many people click, loading up everyone on gummy worms, and giving cash prizes to people for being the most devious. Everyone wins! We also used special t-shirts to reward those who spotted real phishing emails. Additional educational efforts included videos, handouts, screensavers, and other tools to reach out to our company. After all, we’re a team of one. Being supported by a great marketing and brand department cannot be understated as they are the ones that help us achieve this cool factor, too.

Finally, using great technology to conduct phishing campaigns that are multi-tiered and complex is critical. There is a growing list of options available, but key to this effort is being able to drill down to user behavior, aggregate statistics, and administer campaigns in a manner that works right out of the box. Ensuring that the work to create more sophisticated and challenging campaigns that provide immediate feedback is a hallmark of technology that makes this process simple and easy to repeat. Of course, technology can only get you so far, so we arrive back at the teams and individuals to partner together to propel the company and security to the next level.

Designing a program for success, empowering people to deliver on their mission, educating the company while ensuring everyone feels ownership in the outcome, and making it fun are lofty goals. But they can be achieved by a one-team approach, great people, and a vision!

About the Author

Christopher Pierson, Ph.D., J.D., serves as the EVP, General Counsel and Chief Security Officer for Viewpost. In this role, he is responsible for corporate security and legal/regulatory risks including all cybersecurity, fraud, intelligence, audit and its legal, compliance, regulatory, anti-money laundering, information assurance, and privacy programs. Dr. Pierson also serves as an appointed member for the Department of Homeland Security Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee providing advice and guidance to the Secretary and Chief Privacy Officer on policy, operational, strategy, and technological issues affecting our country’s national security interests.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.