Best Practices for a Mature Phishing Program: Webinar Takeaways & Recording

Posted by Living Security Team
July 29, 2022

Share Article

How effective is your phishing program? Is your program dynamically changing to ensure your team is continually upping their game and improving their vigilance against cyber attacks?

On July 28th, our featured guest Geoff Parker presented his best practices for a mature phishing program.

Geoff, the Principal of IT Security Awareness and Training at a Top 5 healthcare insurance provider, holds a Ph.D., MS, SSAP, and 8 Global Information Assurance Certifications (GIAC) from the InfoSec Institute. He's also the author of a GIAC Gold Certification paper on building intelligent and automated tiered phishing systems.

In this webinar, Geoff met with Senior Customer Success Manager Nick Marchiselli and they discussed how to go beyond a basic phishing security awareness and training program to generate data that can meet your users at their unique skill levels, while providing you helpful data to assess human cyber risk across your organization. 

Some of the key takeaways from this webinar include:

  • Don’t just “set it and forget it” for all users -  build a plan to continually change and improve the program so that it gets harder and harder depending on a particular groups skill set.
  • Create groups that are working towards a “black belt” - like Karate, there’s a different amount of expertise required to go from yellow to green belt vs brown to black belt. Build a phishing program that matches your users skill level by setting up specific groups of users that dynamically change after every phishing test.
  • Leverage a Security Champions Program - to encourage participation in the program, build a Security Champions Program to encourage participation & engagement in your your phishing program. You can find best practices for building an effective champions program on our blog.
  • Conduct regular training that keeps up with phishing attacks as they evolve - phishing attempts continue to get smarter and look more realistic and they aren’t just coming via text, phone calls, social media messages, and more. If you need help coming up with new training content for your team, check out Living Security Content, our content is updated monthly and can supplement your existing training program.
HubSpot Video

 

Read the full transcript below:

Nick Marchiselli:

All right. Well, I guess with that, we might as well get started here. Couple of housekeeping items, just up front, we will be recording the webinar. You'll be getting the recording later this week from us. All of the recording sessions are on our website and including past recordings. Please check out the Resources page and there might be something there that's useful for.

Nick Marchiselli:

That we've gotten the chat fixed. Like you've seen, we've got a pull up already. We really want this to be an engaging session. Please chime in the chat. I'll be watching it as we're talking. Ask questions, we'll have time at the end for them. We'll also be raffling off some Swag packs to a few of the engaged members here. Please get involved.

Nick Marchiselli:

My name's Nick Marchiselli. I'm a senior CSM here at Living Security, former client, also former speaker in this webinar series. I'm really excited to be sitting here today with Geoff Parker, colleague of ours. Geoff has been in the healthcare insurance industry and overall the cyber security industry for quite a while. He's a real veteran and has seen and worked through a lot of strategies that at the end of the day, really mitigated risk for his organization.

Nick Marchiselli:

Geoff, you've built quite efficient program. That's really the theme here today is talking about maturing phishing program. One of the things that you've talked to me quite a bit about is your tiered phishing program. I'd love to hear a little bit about what a tiered phishing program is, how you've built it and how the people on the call today could go ahead and build that on their own, regardless of what vendor they're using, what technical skills they have, et cetera.

Geoff Parker:

Awesome. Nick, you're doing it all for me here. Yeah. That sums it up really well. Thank you very much for the invite. I'm very pleased to be here. 

Geoff Parker:

The secret sauce to building the phishing program that we built, where I work is, first of all, desire to have it. Second of all, a couple of simple elements to make it all work. That's the secret sauce. Believe it or not, Nick, it is not a proprietary recipe. I'm going to share the secret sauce with you guys today, because really I think we should all be able to do it and everybody can.

Geoff Parker:

As you said, what we came up with is platform agnostic. It all started one day about probably six months after I started my current job, when my boss came up to me and said, "Do you think there's any way to keep track of what level people are at in their phishing abilities and make something that could dynamically move them between different levels so we could keep track of it and the system could automate it?"

Geoff Parker:

I said, I don't know. But it sounds a lot of work. I'm willing to try if you are willing to dedicate some of my time to it." He said, "Yeah." I got my two favorite risk analysts together that I'd inherited the program from. I was building up our very robust program, security awareness, education, and training.

Geoff Parker:

We sat down and we did some block and tackle whiteboarding where we got people to move very simply between levels. But there was a problem. First of all, there were only three levels, beginning, intermediate, and advanced, which didn't really model the accurate picture where people were, and it didn't match the basic levels that people use in phishing difficulty. There are five, not three.

Geoff Parker:

The other problem is they only went one direction. From that I said, "Okay. I took it to my boss. He said, "Yeah. Yeah. A for effort. You're on the right track. This isn't really going to work for us. We did something a lot more robust." I got my buddies back together, pretty shortly, left them in the dust. Over the course of about ... Well, they were risk analysts. They weren't professionals, security awareness professionals.

Geoff Parker:

Over the course of six months to a year, we actually manage, mostly me, when I say we it's I, managed to put the program together. How it ended up working was that traditional phishing programs, phish people based on something static, not dynamic, a division, an office, a team, an area where they were geographically.

Geoff Parker:

When they build a campaign, they literally go through and pick templates at random and throw them at those static groups, whatever the group is, however it's designated.

Nick Marchiselli:

That's what I always did it, Geoff.

Geoff Parker:

Yeah. I mean, that's the way it's always been done. I said, "No. What we want to do is establish something that gives people a level of ability. How good are they? What have they been catching? What have they been missing?" In most platforms, people of ... whatever the platform are, people get some kind of a phishing percentage score, maybe what you'd call phish prong percentage.

Geoff Parker:

Do they click? Do they open attachments? Do they reply? Do they scan QRs? Do they enable macros? Whatever the failures are, we're keeping track of them in some way. That's the percentage level that users are at. If they start with zero, which means they've never been caught, those are your perfect users. They go all the way down to "We don't want to talk about."

Geoff Parker:

These are the persons that just can't stop clicking. They walk out of the training sessions going, "Don't click. Don't click." But they still click. The system that I put together, essentially, instead of targeting people in static groups, creates dynamic groups and it assigns the users based on their level of phish proneness to these groups.

Geoff Parker:

Then you need a rule. A rule has to be able to move people between groups automatically up and out of the pass and they keep passing, they get better as their score stays the same, but there's word history. If they get worse, they drop down, et cetera. Well, we manage to create that very simply using just a few straightforward rules, that any platform that has the ability to create smart groups or dynamic groups, whatever they call them and has the ability to create rules.

Geoff Parker:

They're very simple rules. This is not one of those things where people should shout from the computer screen going, "I can't do rules. I'm not a programmer. I'm a security person."

Nick Marchiselli:

They don't all need a master's degree.

Geoff Parker:

Don't need a master's degree. Whether you've got one or not, you don't need it. In this case, all you need is a couple of simple rules and here's the secret sauce. Okay. The secret sauce is you select a range of phish prone percentage for the users and create the group around that. If you want to do your zero percenters, you create a very simple rule, has got to equal zero percent.

Geoff Parker:

Then the other thing you got to have is a date component, because you can't start phishing brand new people at a company. They have no history. You don't know what their percentage is. We had to build a second component. But if the rule is for each of these groups, they've got to have been at the company for at least 30 days.

Geoff Parker:

You say, for example, "Okay. Starting on day one on I'm phishing these people four times once a week for a month," that will establish a baseline score. Honestly, we don't care what the score is, good, great, sucky, whatever it is, they've got a score. Then after 30 days, our rule set takes over in those dynamic groups. It will automatically move people because they are now more than 30 days into a certain tier and they'll either improve or they'll stay the same or they'll drop down whatever.

Geoff Parker:

What is the big important part of this? It allows for progressive training and learning as compared to random. One month you get, we're going to post your Facebook account, and the next one you get BEC, or something. Bottom one, that's it.

Nick Marchiselli:

Yeah. I love this idea of if you were in karate or Taekwondo, the test to move from a white belt to the next belt versus a brown belt to a white belt, they're different. You're creating a test that fits the level where people can be.

Geoff Parker:

Exactly. Allows them to build on that, okay. Last month you got a really hard one, this month we're going to give you something even harder to see if you can advance or keep you at that really tough level, or we're going to give you a phish of the week, or we're going to give you a real phish we got and make it benign and send it to you and see would you fall for it or whatever it happens to be.

Nick Marchiselli:

Yeah. You talked about new hires. Maybe you need to do four tests in a month to get that baseline. Then moving forward, I'd be curious, what is your cadence? Actually, we have a poll here. I'm curious what people think is an appropriate cadence. I'd also love to hear about what do you say to the people who push back on an increased cadence?

Nick Marchiselli:

There are a lot of stakeholders at play from your role, HR, corp com, you name it, IT. What do you say ... One, what is your cadence, too? What do you say to those who are pushing back on an increased cadence?

Geoff Parker:

Well, for the increased cadence is really only for the new hires. They're going to click on anything anyways. That once a week for four weeks is literally just to establish the baseline. After that, what we do is monthly. Other organizations, they may go bimonthly. They may do every six months. They may do quarterly. They may round robin if they're from a big organization. It depends on what's going on.

Geoff Parker:

When I say big, I mean, if you're over 10,000, it's pretty much getting up there. If you're into any wide 120,000 or something like that, okay, yeah. You're going to be doing a lot of phishing all the time. But the long and the short of it is we have an enterprise security committee. We didn't get any pushback at all. They loved it. They embraced it. They were thrilled.

Geoff Parker:

It's been running now. I think we're going into our third year now that we're operating. It's 24 months with actual production data. It's that ... The wonderful thing for me is I was completing a master's degree as I did this and thanked the maker that my advisor said, "Hey, this tiered phishing thing you're doing, that would be a really good research project. We could approve that."

Geoff Parker:

That was like, "Really. Okay. I'll do that." Since I happened to have all the data, and then as soon as I got permission to essentially mask it all and presented, that was phenomenal. But then proving statistical significance, i.e. it works. It was phenomenal. Since then on presenting it some big security summits and stuff like that, I've done some consulting with really big companies out there that heard about it, wanted to try it, and now they're using it, and same results we're getting.

Geoff Parker:

It's really, really cool in a way to come up with that, be able to make it work, see the difference, statistically prove the difference, and then just keep rolling. It's great.

Nick Marchiselli:

We're actually ... We're getting lit up with questions already, Geoff. Instead of waiting until the end, I want to dig now, since they fit right into this tiered conversation. Some people have been asking a little bit about the mechanics of the automation. You talked about your rule set where you ... maybe you gap 0% to 33%, 33% to 50%, 50% to 67%, 68% to 100%. Some people have asked about how the automation works, the mechanics of it.

Nick Marchiselli:

I'd imagine that is different depending on what simulation tool you're using, if you're doing like a CSV load, et cetera. But if you just do a quick couple minutes on that.

Geoff Parker:

Sure. Okay. The first thing is you've got to build the tier based on levels that are going to work for you and where your numbers are. For us, I discovered very quickly, we had close to 75% of our users in 0% or 1% to 5% failure. They were really good. The rest of them, about 25% varied from good to really bad.

Geoff Parker:

We wanted to build tiers that took into account exactly where people were and get granular, but not crazy, because otherwise you're going to end up with mega tiers. You don't want that. What we did was create about 15 tiers ranging from zero to low percentages, to the intermediate groupings, to the beginners, or the really bad people from anywhere from 50% to 100% percent.

Geoff Parker:

However, that sets the level where they're at that creates the actual tiers. When you build phishing campaigns, you don't phish each tier individual. For say the zero percenters, you've got to phish them individual. But then you can start grouping. We had a lot of users in 1 to 5 and then in 6 to 10. We did them separately. But intermediate, I've got five groups and an intermediate campaign that we launched. That covers everybody from 20 all the way up to 50 or 60.

Geoff Parker:

Then for the next year for the beginners, it's everybody from 60 to really bad, up to 99 where they fail every one. It's not as bad as it sounds. The words of wisdom I would give people here just it's really simple to set the rules up and create the groups. By the way, it doesn't obviate static groups you already have. For example, I didn't whack all our different offices and say, "Ah, we don't need these groups anymore on tier."

Geoff Parker:

Instead what I did is I kept them all because you never know when you're going to need them. We might need to do a targeted phishing for a group or carrier or division or team or whatever it happens to be. We kept them. However, when we designed the campaigns, the campaigns are based on the tiers.

Geoff Parker:

By the way, part two of that, in addition to the keeping it simple and don't go raise date, making the tiers is you can clone these things, either you can set them on automatic and just let them run monthly or whatever your sequence is, which is wonderful. Or what I do is I just clone them.

Geoff Parker:

The reason I clone them is to double check monthly, everything's working right. But also our platform has new templates every month. We are using close to 4,000 templates a month. Because of that, I take the time to go through all the templates and make sure that ... It doesn't take that long. It probably takes me 30 to 60 minutes.

Geoff Parker:

However, it's all the new ones. Since the last time we did a campaign. It's not logarithmic, but it's an logarithmic progression. Essentially that way we don't put in anything that's going to be seen as offensive or against policy, like we threaten their jobs or they're getting something from HR, or their health, or anything like that. We've got a few forbidden topics. Just go through and make sure that if somebody gets that we're not going to get in trouble essentially.

Geoff Parker:

It gives me a good housekeeping thing to make sure everything's right. The groups are working as expected and everything after this long. I mean, if we had problems we'd know. But there are a few gotchas and we can't go into it at this timeframe really in detail. But some of the gotchas are like people tend to get ... I've had that happen in two people ... two companies I've consulted with where they got really granular.

Geoff Parker:

They wanted to do instead of 1% to 5%, like 0.9% to 5.6% kind of thing. I'm like, "No. Don't do that. You're creating pain for yourself and it's not going to work." Part of the reason why it doesn't work is inevitably you will have people in more than one group if you start using decimals. I said, "Whole numbers only, and increment the number. You do one to five. Your next group is in 5 to 10. It's 6 to 10.

Nick Marchiselli:

Yeah.

Geoff Parker:

Why? Because if you do 5 to 10, you're going to have somebody in two groups and get so many phishing emails, that’s not good. But, you setup a program that is learn as you go, you’re in better shape. I've got some great cheat sheets I made for people wanting to set up a program where it literally it's, don't do this, don't do this and do absolutely do that.

Nick Marchiselli:

I'm curious. You just mentioned how many simulations you're sending out. One thing I learned is that a strong relationship with your SOC or your incident reporting team is really important here between setting up the actual phishing reporting button that you're going to use, informing them of upcoming simulations, things like that.

Nick Marchiselli:

What are a couple of learning moments you've had in working with those teams that you could share with a few people that as they up their cadences or they increase the difficulty of campaigns, things that might come up with the SOC? Geoff, just to share with you, by the way, the poll on cadence, most people seemed to be doing monthly simulations here.

Geoff Parker:

Cool. Yeah. I think I saw it pop in. Matter of fact I was talking, it's whatever. Okay. Soc is your best friend and incident response team is your really good friend, especially when people start going crazy with a report phishing button. Now I wrote a paper about triage and phish reporting buttons and the users tend to ... Once they get acculturated to using them, they'll use it an easy button. That's a bad thing because you're SOC teams can get overloaded very quickly.

Geoff Parker:

Having that is good. But if you have a backend that actually automates the process of responding to a phish reporting button, that's gold, and that's really important as is your relationship. You're close, intimate relationship. I know. You know what I mean, Nick, with your SOC team and your responders and senior management, [inaudible 00:21:55] everybody who's up the ladder that is going to get one of these, too.

Geoff Parker:

At my enterprise, there are no exceptions, including CEO and everybody else on that. We don't make any exceptions. We don't even make exceptions for my testing team. I did a small cadre of testers so that every month when we're about to launch, I don't have a got you because somebody updated 365 or our defense in depth and it broke something.

Geoff Parker:

We do the testing every month as opposed to automatically launching because I've seen lots of cases where, "Oh, yeah. Yeah. They're not working at all. They're just getting dumped." It's really, really important to have those relationships. They need to know what's going on, but I also believe they got to get tested like everybody else.

Geoff Parker:

At least in my organization, they're very good nature about that. I think it doesn't hurt to be very supportive of them and their efforts and to make sure that if you start launching these things and people start responding, you are there when they need you to help with what is going on, or [inaudible 00:22:59]. It's one of our campaigns. Didn't [inaudible 00:23:03] an email.

Nick Marchiselli:

We actually just got a question from Gary, which is in the direction I wanted to take that conversation here. The whole theme of this is program maturity and growth. How do you take your phishing programs the next level? We're talking about a culture of reporting, not just an easy button. What are some things that have helped have that culture growth? Is it an award program, recognition on reporting? What are some of those things that may help program owners out there as they think about their own programs?

Geoff Parker:

I think whatever you can do to socialize and create a culture of good cybersecurity hygiene, and top of mind awareness is a wonderful thing. If you are in a lucky position where you can have ambassadors and champions, some form of program like that, all the better. You've got to have support of your direct management, senior management, the CSO, the CIO, and everybody up line, or your efforts are going to get rebuked and rebuffed and you won't get a lot of things.

Geoff Parker:

The other thing is, and I know we're not in a great time of the world for this economically, but Swag really helps. If you give them stuff they really want or can't get otherwise, we used challenge points. When people did something really good, especially reported a genuine phish or used the reporting button a lot or hit a milestone or something or went up a tier from 1 to 0 or something or 10 to 5, that kind of thing, we rewarded them.

Geoff Parker:

We did a bunch of nice things. We did the challenge points, which were really pretty ... Those suckers are heavy. They were pretty nice.

Nick Marchiselli:

I think that's some weight to them.

Geoff Parker:

They got some weight [inaudible 00:24:49]. We did security blankets. Oh, my God, those were in high demands. We didn't let people just ... You had to get awarded that. You had to win it for doing something. Couldn't just say, "I want to buy one." No. You can't buy one. They're not for sale." We did a really cool incentive program where people did good in the phishing program and took their ... We also do a monthly cybersecurity awareness training video, for example. They did both of those.

Geoff Parker:

They would get a Kindle Fire monthly. There was a drawing for that. If they passed the security video, and took it in the first week, that popped our numbers way up there. There were a number of different things. But above and beyond all things, because they're just things when it comes down to it, when I got to where I work, the program was being run by risk analyst.

Geoff Parker:

There wasn't really a cybersecurity awareness program. That's why they brought me in to build one. The people who were sending out informational emails and stats and things like that, they were afraid to even sign their name to these emails because they get people writing back in all caps or literally yelling at them or bad things happen. Again, I know you've experienced some of that personally.

Geoff Parker:

The bottom line of it is when I got there, I said, "I'm going to be an ambassador myself from IT security to the rest of the company, because if we're not friends, no one's going to help me with anything. They got to know they got a front report." I put my name on absolutely everything. I made a mistake. I owned it.

Geoff Parker:

Now, I sent a bunch of VPs, the wrong departments for all their users. They wrote back when I was reporting on stats and said, "These aren't my people." I was like, "Oops. Yeah. They are. I just put the wrong departments on. My bad." But the fact that I was out there, doing articles and live presentations, live training when somebody got stuck, even if it wasn't my job, I really went the extra mile to help them out and at least get them to the right resource they needed.

Geoff Parker:

All of these things made a difference. I think you've got to really have some skin in the game to make it really talent and make a difference. That's at least my approach. You've got to have something that people like, people will do, people are interested in. You've got to make sure they know there is a real human being behind that mailbox that is going to fight for them and be there for them, and that we're not trying to catch them or track them with these phishing simulations. We're trying to protect the company.

Nick Marchiselli:

Yeah. You're humanizing that team. You mentioned something earlier that just triggered a memory for me. You talked about the top-down approach. You got to be friends with all the way up through the executive ladder. Some of the programs I've seen, one of the incentives people use is that if you are catching a ... I've seen in company-wide, all hands where the CEO will shout out a name or two of people who have caught not simulated, but real phishes that posed a serious risk to the organization.

Nick Marchiselli:

I think it goes a long way. If you can get someone at that status and the stature within the organization to show that security matters. It takes, what, 30 seconds out of their meeting? It may be uncomfortable for you as a program owner to ask for that favor. But that goes a long way in telling everyone else, "Hey. This is important to us. The security team is not just those guys who send the simulation to those guys and girls that are trying to trick us." It's more than that.

Nick Marchiselli:

I also am looking at the chat here. Bernadette, I feel for you. She sent out a tough simulation there. Yeah. That is a tough one. But glad you were able to make up for it.

Geoff Parker:

That's the performance review I just saw go by?

Nick Marchiselli:

What'd you say, Geoff?

Geoff Parker:

Was that the performance review template I saw go by?

Nick Marchiselli:

It sounds like it was.

Geoff Parker:

Yeah. Yeah. [inaudible 00:28:52]

Nick Marchiselli:

We're talking about maturing a program. One of interesting avenue I've seen some people go or are trying to get to is how phishing and MFA are tied in together.

Geoff Parker:

Yeah.

Nick Marchiselli:

If you fish me for my credentials and I give you my credentials, they're only as good as the multifactor authentication on my phone. I may be able to stop some things that happen. I'm starting to see and hear from program owners that want to tie those two things together.

Nick Marchiselli:

I'm interested to hear from the attendees today. We're going to launch a poll actually about how organizations might receive these being tied in. But Geoff, have you thought, or seen people actually sending simulated MFA prompts as part of the simulation training?

Geoff Parker:

Yes, I have. I've just started to see that come through largely because of the last two years or so. The bad guys have figured out great automation, [inaudible 00:29:47], for example, is out there. It can literally automate the process of stealing credentials. It can literally, man in the middle, you into ... From you to a legitimate site to request the grids, pass through their filter, essentially, including the response with a MFA, with the 2FA code and then make you think you're actually on their legitimate site.

Geoff Parker:

They can literally mimic it or pop you back to it. You don't know you've been phished. Now, that's starting to get problematic. That is at least as bad as logging into Twitter, for example, from your phone using your 2FA and the next thing you know, Twitter calls you and says, "Hey, we need you to tell us what that 2FA code was. There was some problem with it or got intercepted or we need" ... These things actually happened.

Geoff Parker:

There's automated problems going on and there's manual problems going on in the real world where the MFA credits are getting stolen. When MFA first emerged, it was so reliable just because it was so hard to break and the bad guys haven't caught up yet. They've caught up. In fact, they've more than just caught up. There's three really good platforms that are automated out there. If they want to steal 2FA codes, they can do it.

Nick Marchiselli:

Kind of scary.

Anna Shinness:

Yeah, the ROTBs are vulnerable again. I'm like, "Really guys? Really? You have to go and do that. There's another piece of security gone."

Nick Marchiselli:

Yeah. Now, when you tell people enable MFA, you've got to put another caveat on it, right?

Geoff Parker:

Yeah. Yeah. Yeah. We got to do, Nick. It's not as secure as it was when it first came out. It's really pretty mature at this point. The long and the short of it is if you are in a position where you could do, for example, social engineering by a pre-texting calls, you could probably get some simulations done, trying to steal one time fits.

Geoff Parker:

You could probably automate it, but I have seen nothing yet. There's one platform I've heard of that has automated the process of creating a simulated non-real world threat, one platform only. They are commercialized at this point, but still very early on. I'm watching them to see how successful is it going to be? Will people really is going to be updated for this, or they going to think it's a win kind thing?

Geoff Parker:

I don't know how expensive it is and how practical it is. What I know is it's going to be resourcing intensive, whichever way to do it.

Nick Marchiselli:

Yeah. I mean, I used to work with our offensive security team and they would do something similar where ... But they would do spear phishing on 10, 15 people at a time. They could actually have someone for an hour monitor and send out the prompt.

Geoff Parker:

Yeah.

Nick Marchiselli:

You mentioned the fact that it isn't as security as it used to be. What is the training line? What is the method that you are working with to try and improve that? Because I do think it ties into phishing here.

Geoff Parker:

It does tie to phishing. It is a form of phishing. There's no doubt about it. We use a couple of different approaches. One of them is I don't do a lot of in-person live physical training at the moment. But we do a lot of instructor-led training via teams or webinars or whatever. We actually talk about the process of stealing a pin code at this point and what users need to do or not do.

Geoff Parker:

When we bring up the whole concept of security through passwords and strong passwords and password managers and two-factor authentication, we literally will talk about what the bad guys are doing to steal those pins right now and tell people, "I don't care if it sounds it's coming from the good Lord, him or herself." If somebody calls you and asks you for that pin you don't give it. Say, "It expired. Too late. Sorry." Whatever you got to do.

Geoff Parker:

The other thing we do is we write articles about it. We do newsfeeds, especially to internal infrastructure sites. We have a community that essentially is for IT security alerts, threads, feeds, things like that. We post articles and different talks and things like that as well. That's one of the places where we try to disseminate it.

Geoff Parker:

When there's something that happens, we make sure that at least our ambassadors and champions or whatever, and they will disseminate it. We're not at the point of maturity yet. We literally don't have bandwidth at this point to have our own program where we can spear phish people with the pre-texting and the trying to steal the pin codes kind of thing, isn't on our horizon and our roadmap yet. It's out there.

Geoff Parker:

But I don't think practically I'm going to be able to execute something like that unless I get two or three other bodies in to help support what I'm doing now for like at least the next year or two. Do I think it should be? At least we got to make people aware of it, because there's so many people out there that goes, "Oh, I've got two-factor authentication. I'm perfectly safe" Until they're not.

Nick Marchiselli:

It's interesting. You talked at one point when you were mentioning someone who was looking to build this, that and put it onto the market. We've got about 65% of people who responded to the poll. If you combine the somewhats to the no's, think that this really probably wouldn't go over well or there'd be some pushback.

Nick Marchiselli:

I think if you look back at one point, that's where phishing simulations were, right?

Geoff Parker:

Yeah.

Nick Marchiselli:

Now it's accepted. It's part of how we train. It does seem there's some more maturity needed there.

Geoff Parker:

Yeah. That's a hard one. I mean, it's if you look at Verizon DBIR, this year 85% of the 96% give or take percent of failures that happened were based on human failures. Most of those were phishing related. I mean, there were human errors. There were other things that ... There was the LP issues and stuff. But basically it was the big human factor was phishing.

Geoff Parker:

In this world, in 2022 and going forward, we've since ... Bad guys are focusing on the human element. We've got to build those strengths. Honestly I have no big vested interest in whatever it takes to get it done. Other than that we've got to be able to defend ourselves. If you work in an organization where data is absolutely key and you've got protected data, whether it's PCI data or protected health data, or ...

Nick Marchiselli:

Oh, no, it's back.

Geoff Parker:

Are we back again?

Nick Marchiselli:

We're back.

Geoff Parker:

Yay. Okay. You froze for a minute. But there you go. You're unfrozen. A long and the short of is, in this world these days, we've got to be able to teach what people need to know to defend themselves. I am virtually positive that people do not sit at their desks every day going, "I could get phished." They're a little busy with other stuff, unless I'm missing something.

Nick Marchiselli:

You just brought up the amount of packing incidents or I'll call them is that probably related to humans. A question came in the participant was very excited to ask it. Why is it important for me to watch out for phishing emails if my organization has controls and security in place? I'm going to let you have the soap box for a few minutes on this one, Geoff.

Geoff Parker:

Oh, God. Don't get me started. Our CEOs, our executives, our VPs, our senior VPs, at least three times a week they're getting phished and they don't get stopped by our extensive, robust defensive systems, defense in depth, double tier, triple layered, blah, blah. They don't stop them. They're not always going to. As long as the bad guys can send a message that looks like it's coming from Ashley or from Drew that says, "Hey, Nick, are you in the office today?"

Nick Marchiselli:

I get text from Ashley Rose every month or so that the whole ... Part of the awareness is someone, as soon as someone gets it right to Slack. You got to let everyone know.

Geoff Parker:

Yeah. Yeah. This just came in. Why? Because there's nothing in it that our systems are going to catch, unless it's from a blacked out or some domain, essentially, a non-safe list domain. If it is, you're not going to get it. But if it's not, and God forbid, if they're inside already and they start phishing people, you got a bigger problem.

Geoff Parker:

For me, I love that we've got great defensive systems. They're so good that they stop my phishing simulations periodically.

Nick Marchiselli:

Right.

Geoff Parker:

Not a happy time when that happens. We've got a few very angsty days with all my engineers and everything, trying to figure out what broke and who did what, and why do I have to re-authenticate this and blah, blah, blah? We don't know what's coming. We don't always know what's out there. I've seen phishing emails. They're so well crafted that even after way term money, years in this industry, I would have fallen for them.

Geoff Parker:

If I hadn't looked and verified that was a real manager and absolutely confirm the email address, would I fallen for it myself? When it's ransomware, we don't want to go there, because it could create a heck of a mess that could rapidly getting the seven, eight figures for anybody. We don't want to go there.

Geoff Parker:

The long and the short of it is best systems in the world aren't going to stop the bad guys from getting at the people sooner or later somehow. They don't care how they get to us. They just want to get to us, could be Facebook, LinkedIn, Twitter, could be anything, but they will get to us if they're really that determined. Then it's up to us to figure out, "Hmm. One of those eyeballs is pointing the wrong way and it's the wrong color and earring isn't real, and here's misshape and oh, this is not a real person."

Nick Marchiselli:

Yep. There's only so much those technologies controls can do, especially most organizations from what I'm hearing from colleagues, friends, we're all BYOD organizations. I'm on my own phone. There's not much that can be done to protect me from receiving a smish or a vish. I'm curious. Do you have any tips for programs trying to build up and mature on that element and that side of things?

Geoff Parker:

Yes, I do. We are actually ... This is now in my roadmap and it's actually going to come through fruition. In addition to doing all the different training on the different elements, we train people on what are the different types of phishing. We're starting to put together simulations, for example, everything from flash drives left lying around to SMS's. That's really good.

Geoff Parker:

Because the bad guys, these days are not just calling you and saying your car warranty may have expired 14 years ago. They're calling now going, "Hey, it's help desk. You're going to get a new computer. You're eligible for a laptop upgrade. We just need to make sure that we provision it properly. We need to know what's on your laptop. Now, can you go ahead and tell us what's software you've got. Or if that's too much of a hassle, gee, can you screen share with me or better yet why don't you just let me log in and I'll just get the information, we've done a two second spot."

Geoff Parker:

They'll never know anything. They're good enough. That you're getting caller IDs that come up from your organization that look legit. If they read it on the ball, they'll give you a call number. That's a literal human staffed call center where you call in and they go, "Yes, we have an agent on the phone with that person right now, trying to take care of an upgrade" or anything like that.

Geoff Parker:

It can start innocuously from a smish or it can start very, not innocuously from an email, which there's been lot of those going around now, where you get something that looks a invoice that hasn't been paid yet and you can't do X, Y, Z, go to a seminar or training class or something until it's paid and it's overdue. They want you to call a number. You call the number and sure enough humans answer. Guess what they want to do.

Nick Marchiselli:

The beauty of all of this is it's not just being done for the sake of doing it. We've talked a lot about how do ... This all comes back to minimizing risk, right?

Geoff Parker:

Yeah.

Nick Marchiselli:

You're trying to put the least amount of risk on the organization as possible by train your users. I'm curious. Obviously, we have fishing click rate, we have phishing report rate. How are you trying to, or thinking that in some point in the future, you would like to measure more data and more risk or vigilance. Because it's just as important to measure the person that puts it in the company Slack and says, "Hey, I think we're all getting phished?"

Geoff Parker:

Similar to your new platform.

Nick Marchiselli:

Unified.

Geoff Parker:

Unified. We came up with unified that we wanted to do some form of user behavior analytics. The fact that you guys came up with that, and you've got unify and Living Security got a very comprehensive platform for that now. A package for that is just wonderful. But for us, we said, "Okay. What are the key factors we want to be able to report on, not just phishing and your level of phish program? That's because that's only one risk back.

Geoff Parker:

We wanted to be able to report on. Have you done your training? Did you do your training on time, when we did your training to do fast quizzes, have you gone to websites that are prohibited? How many times did that ... the track come up. Things that were a combination of behaviors people could use and capabilities that people had, their behaviors they did or did not do and create a matrix of those so that we can present them.

Geoff Parker:

Our idea was to use Tableau. Get the information. Assuming it was fairly straightforward to get. Collate it once we had the data and then throw it into a visual dashboard so that you could actually see and come up with essentially what looks like a credit score so that we could say, "Okay. Your risk is between 0 and 30, 31 to 60, 61 to 100, whatever. If it's up there, you're in the green. If it's down there, we got some retraining to do.

Geoff Parker:

The idea being to focus them at what were the failures they had so we knew what the training we needed to do was. I know that unified does that. It's very granular. Things like that. But I mean, for us, we wanted to make sure that, for example, when we report our phishing scores, what were the fails? How many people failed? How many went to training? How many people did the reporting accurately kind of thing, Phish reporting?

Geoff Parker:

We actually set up competitions between our group. When we present them to the enterprise security committee, we'd be like, "Oh, look, these guys are on top. Now, they had lowest click rate and highest report rate." You know what I'm going to them get away with their care? I kind of thing so. Not as directly as that, but let's just say there's some good, friendly competition that is really good.

Geoff Parker:

When we call people's attention to these things and make the numbers mean something, tell them, "Okay, here's where we are. Here's what the industry average it's for us, for our industry, our company size, our maturity, the numbers mean something and metrics, aren't just there to justify a security awareness program and to make IT security look good, They actually mean something. They are a realistic indicator when done correctly and properly for what is the company's real level of risk for these possible exploits, for these possible breaches or incidents."

Geoff Parker:

I mean, I think the more mature your program is, and the more tools you have, but I'm not advocating throw money at it till you get what you want. I'm advocating for think where you want to be. Why are you doing these things? What is the value to the company? Just because you get KPI and KRI doesn't necessarily mean they're meaning anything to anyone.

Geoff Parker:

It's much more meaningful to say, "Hey, we were at 5%, look in the last year, we've dropped down to two and a half percent. That's really good. That lessons are risk for something really bad happening." We're looking at this and this and this for improvement ...

Nick Marchiselli:

Yeah. Tying back to that tiered program, you talked about, One of the nice things with that is if you could manipulate your phishing click rate, if you are just doing a flat phishing email across the whole company with those segments and anything, I could send out the most obvious phish in the world and say to my leadership, "Hey, look. I got a 2% click rate. Look how amazing that is down from 8%. But maybe I changed the difficulty entirely."

Nick Marchiselli:

It is really important to think about how you're measuring the tracking and how you're building those programs, because you want to prove not just the metric, you want to prove the growth of the individuals you're measuring, right?

Geoff Parker:

Exactly. Over time looking at the metrics is also good. I mean, for us, that means that not only can we report on where certain groups are, but we can also say, "Okay. Six months ago you had X number of people at this level, and now they are at this level or at this level." We need to pay more attention to this or at a boys or appropriate here, let's keep them up a notch and see if we can make it a little bit more realistic for them.

Geoff Parker:

Now, let's approach it from a different perspective or let's try something we haven't done before just to keep them on their toes things.

Nick Marchiselli:

When you're looking at segments, are you mainly just looking at your tiered your phish probability segments, because you mentioned earlier, you get rid of some of the geography, the office location, department, do you pull that back in at some point and try to build into different groups?

Geoff Parker:

We do. Yeah. Again, we've got a literal suite that we report to the enterprise security committee. Usually we reserve the big stuff, but it's going to take more than just an email for them to read for the meetings that we have. But they are a very engaged group. We share all of this with our ambassadors and champions.

Geoff Parker:

The ambassadors and champions are out in those groups. They know what's going on. It's we've got two different ways to approach them. Of course the leaders who knows those people there and actually go to and rely on, one of the best things that's ancillary, that's come out of this, is we've embedded the ambassadors and champions that when someone wants to go for a new project, they don't go for, "Oh, we need to make this go live in two days. Can we talk about IT security?"

Geoff Parker:

As compared to when the charters defined, when the project goes long, IT security is baked in from the get go. It's not bolted on two days before go lot kind of thing. There are advantages to different approaches. It's more of a holistic thing. But I do think that the more you can mature your program, the more mature the program is, the more relevant and meaningful numbers, whatever your metrics are to the people that are going to receive them, that they make sense, that they have meaning, that they're actionable, those are all the ingredients that for me really will make a good mature program, but not comprehensively by any means.

Geoff Parker:

But certainly in terms of what we can talk about today, those are the important things we're talking.

Nick Marchiselli:

We've got about 10 minutes left here. I know we've gotten through some questions. But we're going to start through working through some additional ones. If you've got, any feel free to put them in the chat. Speaking of actionable, Geoff, what are your thoughts on those who don't actually respond by clicking or reporting at all there, the non behavior users? Do you see them as a positive, a negative?

Geoff Parker:

I see them as a factor that they're out there, but they're always out there. I mean, it's on any given day, you've got a significant percentage of your people out on GTO, one kind or another, or HTO, whatever it happens to be, but they're not there. No matter how much you clean your user base, you're still sending phishing emails to devices or dumping cats. You're never going to get a response to them, or you're always going to get a fail if they respond back.

Geoff Parker:

There's always going to be a percentage of that. For me, we set a goal, a target. Our target was we want our report rate to be at this level, which means our fail reporting. They did nothing. It's got to be below that. Doesn't really matter what you do. If it's not important, if people don't know what it is, if they're slammed, if they don't care, if they're out, if they come back, if it's not a priority or something, but well, the dog ate their email, you're not going to hear.

Geoff Parker:

I haven't figured out a way to get around the did nothings at this point, they ignore us. They're going to be out there. If I figure that one out, chances are good. I'll go on work.

Nick Marchiselli:

Do you have ... I know this is very industry relevant and difficulty relevant. But I'm just curious. Do you have a report rate? You're comfortable, let you sharing that you target?

Geoff Parker:

Yeah. But you won't believe me.

Nick Marchiselli:

I'll take a guess. I think you are targeting 45%.

Geoff Parker:

Fifty.

Nick Marchiselli:

Fifty. I didn't want to go with the clean even number.

Geoff Parker:

Yeah. Well, it's easier for me to remember, yeah, instead of 45.7. Yeah. But now we know for 50% and we're about there.

Nick Marchiselli:

Wow. Very impressive. Yeah.

Geoff Parker:

[inaudible 00:52:40] Nobody knows where it were.

Nick Marchiselli:

I thought this is a great question. Probably, this resonates with a lot of people on the call. You've got a user who has gone through the training, has submitted data seven times. They just continue to fall victim to the simulations. Any tips on how to approach this user without overwhelming them? I know some organizations have different policy rules in place where after a certain amount of clicks, they're go to a manager, but I'd be curious what your tips are.

Geoff Parker:

We have tried several different things. My goal has been get people from the repeat, for example, the repeat or three-repeat group where they are required to take training and do. I don't want to see those people in a class again. The few that we do have, or that we do acquire, we actually set up specialized training for them to figure out what's the problem and what can we do to resolve it?

Geoff Parker:

If it can't be resolved, then it gets referred back to HR and we say, "Okay. This is something we can't deal with. You're going to have to deal with this and make your recommendations." We have a very lenient approach, for lack of a better word, simply because we're trying to change people's behaviors. We're trying to make them less risky, more safe and more mature.

Geoff Parker:

If we can figure out what the problem is and correct it and change that behavior, I think we're a lot better off. My whole goal, my whole outlook is turn liabilities into assets. Everybody has a bad day, Nick. I was doing test emails and efficient campaign to myself, and I'd forgotten that I sent myself a meeting request from my manager.

Geoff Parker:

As I just gotten off the phone with him, I had just fired 12 campaigns off to myself to test everything was working right. I was like, "What's he making a meeting request for? We just got the phone about this?" Click. I've been doing this a long time. It's not easy for me to run myself over. But even me, that I sometimes it's just timing.

Geoff Parker:

I mean, I've gotten people that said, "I just renewed my Apples [inaudible 00:54:57] buck a month thing. I just got an email confirmation for $25 a month." I'm like, "Wait. I made a mistake." Click. It can be timing. It can be a bad day. It can be you're going too fast. Not paying attention [inaudible 00:55:12]. We're all human. There's going to be people that fail periodically just because we're human.

Geoff Parker:

We should be paying more attention, but we're not. The ones that we cannot fix where people really have an issue and they cannot stop clicking, those are different level, and those are something that is outside the scope of what our program is supposed to take care of. That's why we've got to send them off to somebody that can take a different look at, are they suitable for their job? Is there something else we could do? Do we remove their network access? What are we doing?

Nick Marchiselli:

Yep. Yeah. That's a tough conversation. You don't want to be punitive. But when you continue to see repeat clicks, it moves from what are they motivated by? Why are they behaving this way? Yeah. There was another question that I thought was great here.

Nick Marchiselli:

What I was asking about language localization, and I'm curious, what you've seen done there, because I think that is something that could really take a phishing programs to the next level.

Geoff Parker:

I love to talk of that. [inaudible 00:56:19]. The company I'm at now is all US based. It doesn't apply. But my last company, oh, we had offices all over the world. Man, I went after them in their own language, their own dialect, their own ... Man, I was on Google Maps, looking up coffee shops around the corner from them. Oh, yeah. I am a firm believer in them.

Geoff Parker:

Now, we've got other problems. We got to deal with this at this point when we're security awareness professionals, because there's GDPR, there's everything we can't do in Germany. There's other countries where there are issues about phishing at all. If we can phish, it's we are so restricted. It's almost not worth it to try.

Geoff Parker:

But for those where they aren't limited like that or where you can work around them within the scope of the law, oh yeah, I think they're great to use and I very strongly support that and, yeah, I would encourage people to when they can.

Nick Marchiselli:

Yeah. I've seen one. We talked about a security champions program earlier. I've seen them be really valuable for globalizing a phishing program. You're one person based in the states, most programs are maybe one to two program owners. Put this out to your champions. Let them submit phishing emails in their local language.

Geoff Parker:

Yeah.

Nick Marchiselli:

Leverage what they're seeing and that as part of how you phish people. You mentioned the local coffee shop, someone in the chat was talking about. How do you make this exciting? How do we make it not boring? If your polling, that was game, It's exciting, I think.

Geoff Parker:

You're actually right. I'll give you something else I tried that went over phenomenally well, and particularly with Cybersecurity Awareness Month coming up in October. I created a class called "How Would you Phish Me?" Where I brought people in and said, "Okay. You are now the bad guy, could you and all? If you're going to write a phish, how would you do it? What would catch you? Or what can you think of that might catch someone else or what have you fallen for?"

Geoff Parker:

Then if it's really good, we've actually used them. We've created templates out, which we've got some good ones. But a bonus part of that is somebody who creates that phish is never going to fall for it.

Nick Marchiselli:

Yep. That's the maturity right there is you've got an ambassador for your team out in the organization working throughout. Yeah. I think that's great. I love the submit a phish programs. I love the phishing tournament ideas that I've seen from people before, run six phishing simulations in October. If you report all of them, catch all the phish, you're in a raffle, those kinds of things.

Nick Marchiselli:

I think they're all really valuable. We've got one or two minutes here left Geoff. I'll give you a moment to share your last part, imparting wisdom here with people. Then we'll thank everyone for their time and for joining us.

Geoff Parker:

Yeah. I think it all comes down to what do you want to accomplish with your phishing program? Whatever the company rules, policies, posture, budget, you're one person for 8,000 or 10,000 users, I think it really has to start from within. Can you make a plan? Can you deliver on that plan or at least as best you can and what's in it for you? What do you really want to accomplish?

Geoff Parker:

I have an expression that I use, which is that people don't care how much you know, unless they know how much you care. I really find that human beings on the other end, not users, but the people that you're working with resonate to that. I have seen a dramatic shift in the company I work with, which is that people would avoid IT security like the play when I got there and I've shifted that all the way over to in a roughly 8,000 person company.

Geoff Parker:

If someone says "Geoff," chances are good, they're talking about me in a favorable life for the most part. It's like I don't care if it's my job or not. If I can do something to support I'll do it. If it just means getting them to the right resource and then they know they've got a friend that will help them, that will really support them, and I think that makes all the difference in world.

Nick Marchiselli:

Thank you, Geoff. Well, with that, we'll wrap up. Thank you to all the attendees. Thank you to the people Living Security on the backend and help make this possible. Geoff, thank you to you. It's been fantastic working with you. We really appreciate you sharing your insights and being a true partner here.

Geoff Parker:

Thank you, Nick. Thank you very much. Thanks everybody. Have a great rest of your day.

Nick Marchiselli:

All right. Take care, everyone.

 

Subscribe To Learn How To Prevent Cybersecurity Breaches

Additional Reading