Dissecting Lessons from a Year-Long Phishing Simulation Campaign

No matter how much we advance technologically, phishing continues to remain one of the most prevalent and effective methods cyber adversaries use to infiltrate organisations, bypassing controls around their security architecture and testing their cyber resilience.

Phishing emails bypass controls and exploit security vulnerabilities, human weaknesses, and security gaps, ultimately testing the organisation’s cyber resilience. Here are the insights gathered from a year-long phishing simulation campaign to show the significance of security awareness training and its influence on strengthening the security posture.

Phishing Statistics

Phishing attacks remain a significant threat, but just how much?

• According to CISA, 90% of all successful cyber-attacks begin with a phishing email.
• As per GreatHorn’s BEC report, 57% of organisations experience weekly or daily phishing attempts.
• Proofpoint’s 71% of surveyed adults admitted risky online behaviour, despite 96% knowing the dangers.

Scenario: A Year-Long Phishing Simulation Campaign

We embarked on a year-long phishing simulation campaign with one of our clients. The journey was a phenomenal and eye-opening experience for all of us. In the beginning, when we started the phishing campaign,  a concerning 25% of employees fell victim to the simulated phishing emails. The high click-through rate revealed a vulnerability in their security posture. Still, the true campaign value lies in educating and empowering employees through fundamental security principles, integrating security awareness training throughout the development lifecycle. It is one of the reasons, why organisations today are shifting from DevOps to DevSecOps, making security an integral part of what they do and the way they build their application development processes and security architecture robust.

The results demonstrably improved over time. Through continuous training and exposure to simulated phishing attempts, the click rate dropped significantly, and within just three months, it fell to 5%. By the six-month mark, the client requested a ramp-up in difficulty to level 5/5, but even then, the workforce was no longer falling for phishing emails and scams, no matter how sophisticated they got. The campaign had some interesting points to learn from:

• High Click-Rate In the Beginning and a Decrease Over Time

High initial click-through rates exposed a phishing knowledge gap. It often decreases over time due to increased awareness and training among users, improved detection and filtering by security systems. The campaign’s success was evident in the subsequent decrease, demonstrating how simulated attacks and training empower employees to identify phishing attempts and foster security awareness.

• Increased Difficulty Level in Phishing Campaign Helps Strengthening Security Posture

Real-world threats evolve, and so should your training. Mimicking attacker tactics with increasing campaign difficulty helps strengthen the security posture by better-preparing employees to recognise and respond to sophisticated phishing attacks.

So, What were the Lessons from a Year-Long Phishing Simulation Campaign

The year-long phishing simulation campaign yielded valuable insights, including:

• Complexity can enhance preparedness: Progressively intricate phishing simulations will help your organisation equip its employees to recognise and respond to cyber threats.
• Practical and balanced anti-phishing training can result in better responses: Effective training goes beyond the basics and should be balanced, challenging employees without becoming overwhelming or demoralising.
• Tailoring training programs is paramount: One-size-fits-all training approaches are rarely successful, but tailoring programs to specific department needs and roles is necessary.
• It takes time to build a robust security culture: Building a robust security culture doesn’t happen overnight so you need consistency for a security-conscious workforce.

Final Words

Your organisation should foster a culture of awareness and provide employees with the necessary training and tools to combat phishing attempts and build cyber resilience.

References

1. Chavez, P. (2024, January 26). 2024 State of Phish report – the impact of human behavior. Proofpoint. https://www.proofpoint.com/us/blog/security-awareness-training/2024-state-of-phish-report

2. General information. (n.d.). Cybersecurity and Infrastructure Security Agency CISA. Retrieved July 22, 2024, from https://www.cisa.gov/stopransomware/general-information

3. (2024, May 11). Why run Phishing Simulation Campaigns? CyberSapiens. https://cybersapiens.com.au/cyber-awareness/why-run-phishing-simulation-campaigns/

4. Shelwell, G. (2024, February 2). What is A phishing simulation? Caniphish.com; CanIPhish. https://caniphish.com/what-is-a-phishing-simulation

5. (N.d.). Greathorn.com. Retrieved July 22, 2024, from https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf