Lance Spitzner is a sneak.
His job as an awareness officer is to catch employees engaging in risky IT security behavior, and he’ll do almost anything to snare you.
Which is how he found himself on his first assignment as part of a team reporting to the board of a company on the results of test of whether employees were following safe password creation policy.
Up on a wall were flashed the names of all who failed. One of them was a board member. His password was his secretary’s name – who he was having an affair with.
It’s one of the lessons Spitzner, now an awareness program trainer with the SANS Institute, says he’s learned over the years: Don’t do things that might embarrass people. If someone fails an awareness test, tell them privately.
“A lot of times I see awareness metrics programs fail not because of technology, numbers. It’s because they forgot people have feelings,” he told the SecTor 2014 security conference this week in Toronto. “The whole idea behind a metrics program is not have people resent it, because you’re measuring them, but to actually like it.”
No matter how many firewalls, gateways and intrusion detection devices CSOs install, arguably the biggest way an organization can protect itself is with workforce well-trained to not engage in risky behavior, like plugging in USB keys found in a parking lot, creating easy to crack passwords, not updating/patching software and clicking on what are obviously suspicious email links.
Which is why many enterprises do regular awareness testing. Sometimes a member of IT security staff creates the test, although for phishing tests there are a number of cloud-based providers who can be contracted to do it as well.
One of Spitzner’s rules is always tell staff the company has an awareness testing program. That won’t foul up the test metrics, he said. In fact, the point is you want staff to become aware. More importantly, the program should not make people feel that if they fail once they will be publicly humiliated (see above) or lose their jobs.
At the same time they have to know there will be consequences for regularly failing a test. One large U.S. government department, for example, sends out 10,000 phishing tests a month to see who will fall for the lure and click a link. On the first failure the person is told and has to re-take a training course. One the second consecutive failure the person’s boss is told. On the third consecutive failure the boss has to have a talk with the staffer. A fourth consecutive failure is reported to human resources.
The kind of test also has to be well-thought out. For a phishing test, don’t send out links to free Viagra or Russian bride Web sites, Spitzner said, in case it’s your supervisor who falls for it (one of his did).
Nor should the name of a company employee be used to add authenticity to the lure. And don’t do what someone in the U.S. military did once, which was to try to get people to click on a link in a message purporting to alert staff of a problem in their pension plan. (It caused chaos because word spread).
To start a phishing test, send a simple email that should be easy to spot — like “See more of the world. Click here to get 12,000 bonus miles,” complete with an image of a beach. The clue is no airline is mentioned.
Before doing a test, let senior managers know it’s coming. Legal and HR departments might object, Spitzner said. This might be overcome by running a test on them and showing what it’s about. If necessary, don’t collect the names of those who fail, just the metrics.
For phishing, there always has to be a way for a viewer to determine it’s a phony. At first make it obvious, with misspelling, a message that has sense of urgency (“This offer only good for 12 hours”), asking for information the reader shouldn’t have access to. Then over time make it trickier — when the number of victims drops, or, when IT gets email like “That message was too easy.”
Those who fail a test should be told within 24 hours, Spitzner said. Don’t worry if they then spread the word to colleagues. First, assuming the organization is at least medium-sized good test should spread over a day or so. Second, you want people looking for suspicious things – in fact, one metric is how many people report a phishing attempt. “This is a huge win for you,” he said. “People are the most effective detection system.”
Awareness tests can reveal interesting behavior. One phishing test Spitzner did in one organization found that most of those who failed were mobile users – they checked email on their smart phones, not desktops. They knew to hover cursors over suspicious links with a mouse, but didn’t know how to do it on a smart phone. (There’s a way.)
“If you approach it right, and make it fun, people understand you’re not out to trick them and you’re not out to break their career, that you’re out to help them, they really buy into it,” Spitzner said.
One more thing, he added: “You’ll know you’re an effective security awareness officer when no one in your company trusts your email.”