A recent debate on Twitter surrounding the ethics of organizations using COVID-19 as a theme for phishing exercises sparked our interest, since it relates to our coverages areas and prior work experience. In one of Brian’s prior jobs, he conducted the phishing exercises for the employees of one of the larger security companies. Claire covers the security awareness training segment for security and risk professionals.
Brian: I believe strongly in the “train as you fight” mentality. As an Army veteran, I cannot fathom how unprepared I would have been for combat if every training exercise was the same, if the opposing forces were always in the same place, and if they were using the same tactics at the same time every iteration. It would be a dereliction of duty — ethically problematic in my opinion — to not use the same tactics the known threats are using on the modern battlefield.
As my users at my old job got smarter about identifying possible phishing, I increased the realism of my exercises. For example, with the approval of my leadership, I created a fake news story about an event that occurred in Europe and kicked off a campaign to the next cohort of users. At the same time, the infosec community was sharing samples of real phishing conducted by real cyberthreats using the same lure. I was helping make our user base more resilient to the latest cyberthreat techniques.
That being said, if a corporate red team begins its phishing exercise program using current events as lures, it will likely sow mistrust among the users and not meet a phishing program’s objectives. Just as we do in the military, I suggest the “crawl, walk, run” methodology for exercises. Start with your basic phishing lures (e.g., generic delivery notices), progress to your more seasonal themes (e.g., open enrollment), and only when you have observed the requisite changes in behavior should you begin to use current events as your phishing lures. Following that methodology will get your users and program in the “train as you fight” mentality. Your entire organization will bleed less on the digital battlefield because it sweated more in training.
Claire: Security awareness and training needs to go beyond theory. It’s crucial that users are educated to recognize threats to their organization while also being enabled to actively protect it. Today, phishing remains one of the most effective tools for breaching an organization. Both security practitioners and non-security professionals are falling for phishing scams as the cybercriminals evolve their tactics to align with current events, making the fraudulent correspondence appear more legitimate than ever. So it’s fair to say that cybercriminals are now going to now start crafting their phishing attacks to prey on people’s fear and paranoia surrounding the COVID-19 outbreak.
It’s logical to make the leap that security awareness and training (SA&T) efforts that focus on phishing awareness should also cater their phishing test templates to use COVID-19 language to prepare users for these attacks. However, there is a fine line that must be drawn. Overstepping that line will undue any and all SA&T progress.
Traditionally, SA&T is disliked in both the cybersecurity community and outside of it. Non-security users see the training as invasive and deceitful, while some security practitioners believe it’s not effective enough to stop phishing attacks and that investments in other security technology are more useful in protecting the organization. If security practitioners start to craft their phishing test emails with COVID-19-specific examples, they’re risking adding to the reputation of SA&T phishing tests being insensitive.
COVID-19 is a relevant pretext that will be used by cybercriminals, but it’s also a pandemic that is sparking mass fear, unease, and danger. People are scared. Many of us have at least one loved one who is high-risk, and experts are forecasting that at least 40% of the population will become infected. Security practitioners need to be exceptionally careful that they don’t add to this panic by using COVID-19 references in their phishing tests. Preying on this fear is cruel, and just because cybercriminals are utilizing this tactic doesn’t justify security practitioners to also stoop to this level.
Instead of using COVID-19-specific phishing drill templates, security practitioners who oversee phishing tests should communicate to their organization that this is a tactic that cybercriminals are using. I recommend sending a mass email to the organization educating them about how the workforce should expect to see these deceptive emails and to encourage managers to reiterate the message to their team. Not everyone will read the emails, but the managers can speak with their team 1:1 to ensure that everyone is aware. The message must be reiterated regularly, not to trick users and spark more fear but to help them feel enabled.
Brian & Claire: As we are all aware, this pandemic is presenting a long list of unique and sometimes new challenges for individuals and organizations. Whatever you choose to do regarding phishing exercises during the next month or more, follow best practices. Stay safe and take care of yourself, your families, your customers, and your employees.