Security Awareness Blog

Phishing Assessment Bag of Tricks

Editor's Note: This is a guest Blog Post from Cheryl Conley, head of Lockheed Martin's Security Education and Awareness team. Lockheed is one of the most targeted (and phished) organizations in the world. Below are her thoughts on Phishing as she wraps up 2014.

I hope everyone survived NCSAM, we at Lockheed had a very successful run. We were very pleased with the participation across the enterprise and eager to capitalize on the flurry of interest from our non-cyber employee base. October was a very busy month, while we started planning for NCSAM in June, the activities during the month included our monthly phishing efforts. As we wind down for 2014, the email testing team is taking a breather. We feel December has too many activities that conflict with a phishing assessment, to include enterprise activities such as compliance deadlines and many of the employees are out of office on vacation or travel. Also much of the leadership will be out, which would impact any accountability conversations we might request. Finally, the month off also provides the email testing team a chance to reflect on 2014: what went right, and what didn't, the success of our ongoing enhancements, and strategies for 2015 and beyond. Here's a few key points from our 2014 Phishing Assessment Bag of Tricks:

  • Our Undesired Action Rate (UAR, or the number of people that fell victim) continues to decline, although as one would expect, the lower it gets, the more difficult it will be to improve.
  • Our progressive training and accountability process is widely accepted with excellent support and adherence from stakeholders, leaders and even the impacted employees.
  • The rate of reporting potential malicious email continues to rise, but we still struggle with some employees not fully understanding the process.
  • As we monitor the reporting mailbox for each phishing email, we're very pleased with the cultural change we see in the reporting itself. The employees are asking questions, looking for additional information, and reflecting on how this might impact their own personal life.

Some key lessons learned include the following

  • Think strategically how you will move forward
  • Set the expectations, for example you can use All Employee Memos
  • Content/topic Consideration - stay clear of: Weather/Plant closings/Resumes/Health
  • Have a process in place to handle Replies and Forwards
  • Enhancements based on employee behavior

Come back next month for a quick overview of how we're handling rewarding positive behavior. This has been a challenge, not only from a resource perspective, but also from an employee responsibility viewpoint. This is where some of our philosophies generate interesting conversation.

BIO: Cheryl Conley has held the Sr. Manager position for the Security Education & Awareness Team in the Corporate Information Security organization for the past 6 years and recently also assumed the role of Business Area Information Security Officer. She started her career with the company in 1983, her past experience includes computer operations, customer service, systems engineering, and program support. She has participated in the creation of information security policies, operational readiness reviews, encryption technologies, and employee development. She has managed numerous successful teams to include The I Campaign®, teaches several classes within CIS, and has a passion for the Security Awareness arena. She holds a Masters' degree in Information Technology, and obtained the CISSP in December 2005.