Training non-technical employees was an unusually difficult challenge in 2020. Employees were more judgemental than usual to simulated phishing tests, and lacked the attention to engage in training.
Companies were faced with balancing employee sensitivity and a resilient posture. "We try to be sensitive, and the [phishing] simulation we did, we got some backlash," said Nikolay Betov, information security governance & awareness officer of Mondelez International.
The Oreo and Triscuit maker began a security program encompassing risk management, security operations enhancement and employee awareness in 2019. It was a promise to help mitigate inadvertent issues technology investments caused: some "slacking" behaviors in employees, said Betov. There was the idea that, "someone will fix it for me."
"We try to be sensitive, and the [phishing] simulation we did, we got some backlash."
Mondelez is a proponent of positive reinforcement and practice. "It's not on the top of your head, you're under stress, you're thinking about something completely different," said Betov. "But again some of these things seem so obvious for me that I do ask everyone individually, 'What was going through your head exactly at that moment when you did this?'"
The training programs Mondelez used failed to capture its employees' full attention. Employees would multitask, catching up on emails or other workday distractions, while a security course ran. While the phishing tests didn't change, the training in between simulations was updated to cater to a busy workday.
To add security training on top of existing phishing exercises, Mondelez entered a three-year agreement with AwareGo. The training platform supplements simulated phishing attacks and currently draws engagement rates between 20% and 50%.
The learning management system is part of Mondelez's broader security program, where employees are constantly engaged in training content — not just when they fail a phishing test.
It was difficult for Mondelez to capture how its employees applied certain behaviors to security and training. During some phishing simulations, the company observed differences between "what we are teaching people and how they were acting," said Betov. "We were wondering, is our message not landing? Are we too boring?" People were "hearing" the lessons and then forgetting about them.
Positive reinforcements, but have consequences
Nearly two-thirds of U.S. employees are familiar with the term "phishing," yet 34% say emails with a trusted label in them are deemed safe, according to Proofpoint's 2021 State of the Phish report, published in February. The report is based on responses from about 3,500 employed adults and 600 IT security professionals globally who participated in a third-party survey.
Employees deemed some phishing simulations unfair, such as one using an outdated logo. But the company approaches it as a test in resilience, "that's what a cybercriminal will do in 15 minutes if they're targeting the company," said Betov.
Eighty-two percent of U.S.-based companies use a consequence model for handling "repeat offenders'' in failed phishing simulations, according to Proofpoint. A consequence model includes varying degrees of information security or manager counseling, impact on performance reviews, HR-based discipline, monetary penalty or restricted system access.
In 2020, however, companies removed training as a component of the consequence model and focused more on penalties. Almost half of the companies using a consequence model report widespread acceptance, according to respondents.
Mondelez doesn't use the term "repeat offender" outside the purview of the security organization. "The culture of the company is not the one that you'll get, 'Hey, you clicked twice on a phishing email, here's a yellow card,'" said Betov. "We are very much for a consequence model."
The company follows up with employees by observing behaviors that are considered too risky to the SOC. In one simulated campaign, the fake email touted an updated company policy, to which people forwarded throughout the company, indicating they had to apply for something. Then there were other employees who recognized it was a phishing email from the get-go.
"So with those we said, 'Well, let's have a phone conversation with them,'" said Betov, which came down to about 10 or 15 cases.
Connecting with employees
Personnel training is only a fraction of the defense in depth model, but it's a crucial piece.
"I know each of us can fall for it," said Betov, referring to sophisticated phishing emails. "Don't be angry, it's a matter of practice."
Unintentionally alienating employees is a common side effect of security training, and one of the reasons Mondelez adopted "learning moments," where every two weeks employees get a snapshot, one-minute video focused on a singular topic from AwareGo.
"It's not rocket science," said Ragnar Sigurdsson, CEO of AwareGO. The videos are based on traditional marketing principles, embedded with memorable messages.
"In the past I have seen companies record phishing calls from scammers and use that as part of the training."
Chief scientist and fellow at McAfee
Anything security does to agitate users in terms of their accessibility or ease of use, will harden resistance to training.
"Speaking personally as someone that has received an insensitive test, I would argue it is imperative for the security teams to venture outside and engage with the wider business about the content used in order to test employees," said Raj Samani, chief scientist and fellow at McAfee. Phishing simulations usually draw a fine line between clickability and inappropriate content.
Proofpoint recommended companies aim for 70% reporting and only 5% failure in phishing test rates, the 70:5 rule. The industry average reporting rate is 13%, which the food industry barely misses with an average of 11%.
Maintaining engagement is the top challenge for achieving success rates, however. "In the past I have seen companies record phishing calls from scammers and use that as part of the training," said Samani. "It was tremendous to see how employees reacted to these types of calls," which provided them perspective on catching scams in the future.
Mondelez is using a similar tactic, using recordings to show employees what clues would indicate an email had a malicious link or landing page.