During my human metrics talk at RSA last month, a common question was how to get support for an internal phishing program. Phishing assessments are a powerful metric, not only do they measure a high human risk, but they are repeatable, quantifiable, actionable and low cost. This is why phishing has become one of the most common metrics within security awareness. In addition phishing is a powerful way to reinforce key human behaviors. When I first started in security awareness five years ago, phishing or any type of human assessments, were rare. Now a days, I would say roughly 30% of organizations I work with are doing some type of human assessments as part of their awareness program (surveys, phishing, checking on secured desktops at night, etc). However many organizations are still running into problems getting management support and/or approval. Here are some things I have seen work.
Support: The first step is getting senior leadership's support for human assessments, we need to demonstrate their value.
- First, you need to be measuring a high-human risk to your organization. If phishing is not an issue for you (perhaps you do not use email as you are a manufacturing plant) then you should not be measuring it. However, if you are feeling a lot of pain in this area, demonstrate that to management. Give them the numbers for monthly infections due to phishing, or perhaps you have had a recent large incident. Do not use metrics from the industry or news, general stats have minimal impact. Try to use stats from within your own organization.
- Do a pilot test, run a small phishing campaign against a certain department or perhaps just 100 random people. Make sure you do not use a targeted, spear phishing email, just a standard attack you would see anywhere today. On average 30-60% fall victim in non-trained environments. This often gets management's attention.
- Create a plan on how you will execute your phishing assessments, show them you have researched the topic and are prepared. A great place to learn more about planning phishing assessments is a recent webcast I did on Phishing Assessments that Employees Like.
Approval: Once you get your management support, depending on your organization you may need to get approval from other groups (such as Human Resources or Legal). Here are some steps you can try.
- Talk to the blockers and understand what their concerns are. They may have misconceptions on what the issue is, or it is something you can address. For example, perhaps they are concerned that employees will react negatively to the program. You can explain how you address these issues in your Phishing Assessment plan.
- Often these folks are a blocker because they simply do not understand what is involved. When doing a test roll-out make these very folks your first targets. Sending them a simple phishing email, have HR and legal fall victim. Once they see what is involved, often they become supporters as you resolve their misconceptions or concerns. I know of one Fortune 10 company that used this very technique to get the approval they needed.
- Privacy is often a concern for organizations, such as for employees in different countries or maybe there are union considerations. Create an assessment where no names are collected. For example an anonymous survey or for phishing assessments use URL shorteners so no names are ever collected, only numbers.
I would love to know what tricks you have used for gaining support for your human assessment programs.