Healthy security cultures eat lots of phish

Our company got hit with the Google Docs phishing scam along with many others. Our security culture protected us from harm.

img 20170504 151717 01 01
Michael Kan

Our director of marketing caught the first one. "Hey, check this out," he wrote at the top of the forwarded email. Beneath was a quick message letting him know that one of his contacts had shared a Google doc with him. The email looked squirrelly, not least due to a recipient email that was nothing but a string of h's.

It's always great when someone in the company forwards a suspicious email to me, especially since that's what I've asked everyone to do over a year-long course of phishing awareness training. But the director of marketing is very tech savvy and has a security background of his own, so I would have expected nothing less.

I hadn't seen any weird emails myself, but as I looked into the forwarded note there were the first rumblings on the internet of what quickly turned into the Google Docs Scam. But several funny (and quite gratifying) things happened as I started crafting out my warning to our users.

First, I got beat to the punch

In the 30 minutes after I got the first forwarded email, I received half a dozen more from people all over the company, most of whom have little security background. They were not aware of the Google Docs scam, but they did know a hinky email when they saw one in their inbox. From our sales managers to our CEO, different people forwarded emails they were receiving and wanted to know if they were legit or if I (or someone else) was trying to phish them.

I've been conducting quarterly phishing tests within the company since I began as CISO. There's simply no excuse not to. Even for a budget constrained startup, given that there are free simulators available, as well as open source and commercial testing platforms from companies like Duo Insight and KnowBe4. We were even more fortunate in that several of our phishing tests were built around Google Docs, so our users were even more sensitive to the vector leveraged by this latest attack.

group of business people talking 1 istock

Second, everyone started talking

When I confirmed to our CEO that this was a phishing attack, he immediately asked if I could get the word out to the entire company so that people knew what was going on. Turns out, people were already discussing it. Emails were being traded and our Security Slack channel was lighting up with links and comments. Articles were being shared and people were talking about it to each other, not just aiming them at me.

My friend and sometime collaborator Masha Sedova believes that measuring security awareness is about much more than just counting how often people take training. You have to have tangible changes in behavior, preferably ones that are self-perpetuating even when security folks aren't around to demand them. I couldn't agree more. Watching my own team go from limited awareness to spontaneous security conversations without my intervention was awesome, and showed that our awareness efforts are working.

Finally, no one clicked

As the word spread, I knew I had to focus on those folks who might have been tricked into clicking on the link. I usually catch a few people in our simulated phishing attacks, and I figured this real-world drill would likely snare at least one or two users. Shaming and punishing folks isn't in our cultural DNA, so I made sure to ask everyone who might have fallen for the attack to reach out to me and promised I would help them set things right.

So far, no one has been caught by the scam. In fact, our biggest problem was that people became paranoid and stopped clicking on any links in their emails, even the ones that I had sent informing them about the phishing scam. In some cases, this cost me a few minutes of explaining that the links I sent out about the scam were not themselves a phishing attack. But I much prefer erring on the side of caution in these situations, so I was fine with it.

security training ts Thinkstock

Culture eats strategy for breakfast - turns out it also eats phish

From the day I started our executive team's primary goal was to create not just a security program worthy of our company, but a security culture worthy of it. Culture grows slowly, and you can't know how you've done until months or even years after you start. I was just getting ready for another round of quarterly phishing tests when the Google Docs scam hit. Now I'm thinking maybe my team deserves a pass this time around. But rest assured, I'll be back to serving them phish again next quarter.

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.