When I was young, I was an oceanfront lifeguard, firefighter and EMT paramedic. All disciplines involved frequent education and training.
It wasn’t enough to get trained once and be expected to practice a skill with efficiency. We also did a lot of practice drills. There was a saying, “You will do what you practiced!” Meaning that when the proverbial stuff hit the fan and the adrenaline was on high and you had to act quickly, your mind and body would inherently do what it was trained to do. And for the most part, it’s very correct.
Practice, Practice, Practice
Education, training, and drilling are essential if you want a large group of people to do the right thing. This concept needs to be applied to fighting social engineering and phishing.
Educate, train, and drill your employees to do what you want them to do.
We want our end users to be initially skeptical of any unexpected email/message asking them to perform an action that, if malicious, could result in harm (to themselves or their organization). When they get an email/message with those two traits, we want them to Stop. Think. Before They Click. We want them to hover over any involved URL to review to see if it seems legitimate or not. We want them to evaluate the URL of any site they land on after they have clicked on a URL. We want them to learn to confirm using other methods than those presented in the email/message. We want them to mitigate and appropriately report any suspected phishing event.
And if we want these desired behaviors, we should educate, train and drill. You can’t expect an outcome that you didn’t educate, train and drill on.
Simulated phishing tests are great. Periodically, at least once a month, if not more frequently, send a fake phishing email/message, and see how employees perform. People who fail simulated phishing tests should get more training and more testing.
But it’s also a great idea to drill.
Drill Exercise
Make all employees take a 5- to 10-minute drill exercise designed to reinforce good anti-social engineering behaviors. It shouldn’t be a surprise, like simulated phishing, and it should involve more than one test. The goal is to reinforce desired behaviors by repetitively drilling them into an inherent behavior that they naturally practice without thinking about it.
Perhaps send them 10-15 simulated phishing emails/messages, where they are expected to evaluate if the email/message is likely to be a phishing attack or not. They should be directed to evaluate the email/message in a prescribed manner:
- Did the email arrive unexpectedly (i.e., “You were not expecting it”)?
- Is the email asking you to perform an action that, if malicious, could be harmful?
- Did the email arrive during normal expected hours for that sender?
- Is the sender known to you? Does it use a familiar email address that this person normally sends from?
- Do the names and email addresses of the sender agree?
- Evaluate the text of the message. Does it seem normal?
- Does the text agree with the subject of the message?
- If there is a URL, evaluate it, and see if it seems legitimate for the sender claiming to be involved.
- If you click on the provided URL link, what does the resulting URL tell you? Are you landing at a legitimate vendor site or is the resulting URL landing page location suspicious?
- And so on
I was young when I was an EMT-paramedic, firefighter and lifeguard (15-20 years old). I was so thankful for all the education and drilling I received, especially when I was hopping out of the unit to go fight a house fire or a multi-victim automobile collision where there were people thrown out of the cars onto the road. The adrenaline would get pumping. I was often scared even if others couldn’t see it. Luckily, my mind and body did what we practiced and drilled. I’ve never lost the importance of doing both.
Drill baby, drill!
Here's how it works:
