In this week’s Whiteboard Wednesday, Justin Buchanan, Solutions Manager for Vulnerability Management and Offensive Security Products at Rapid7, returns for the third and last installation of our three-part series on anti-phishing—phishing awareness training. (Missed parts one and two of the series? We encourage you to binge watch.) In this video, we address 5 key questions security practitioners often have when starting a phishing awareness training for their colleagues. If our steps are implemented correctly, you’re on your way to turning your employees from your largest attack vector into your first line of defense.
Want to enlist our help to combat phishing? Download and print our handy phishing awareness training poster for your office.
Hi and welcome to this week's Whiteboard Wednesday. My name's Justin Buchanan, Solutions Manager for Offensive Security Products here at Rapid7. We're here today to continue our discussion in our anti-phishing series. Today specifically we'll be talking about phishing awareness training.Show more Show less
Now overall, why are we talking about phishing? And the reason is because phishing is a real problem. A finding by the FBI says that $5.3 billion will be lost over the course of three years as a result of business email compromise scams. That's a lot of money.
So what can we do to protect our organizations? One component of our overall plan to protect against this is phishing awareness training. So let's talk about what a phishing awareness training plan is and how to implement it.
A phishing awareness training program should start with first measuring your susceptibility to phishing, training your employees to be more resilient to phishing, and then measuring your success.
So let's start with the first component, measuring our susceptibility to phishing, how do we do that? The first thing that we need to do is roll out technology that enables our employees to report suspected phishing messages. We cover this in depth in our other section, phishing protection.
Once we've rolled out this technology to the enterprise, we then need to train our employees to understand how to identify potential phishing emails, the potential indicators that they should look for to understand if something may be malicious, and how to use the reporting technology to send that message to your team for analysis.
Now that we've deployed the technology and trained our users how to use it, the next thing is to run a phishing simulation. A phishing simulation is when you act like an attacker and send a phishing email to your company to try and test their susceptibility to phishing. You'll send this phishing simulation out to the entire company. You'll wanna send it to everyone so that that way you can get a baseline for how many people click on the email and open it, how many people click the link, how many people get phished, and how many awesome people report it as a potential phishing message.
Now that you have this baseline, you'll then continue through your program, where you'll run targeted trainings, certain departments, maybe key roles, and you can do a lot of different processes with them. You can run phishing simulations and follow-up trainings. These trainings can take many different forms, perhaps they're in-person training, online training, sent as material that they can read on the train. Either way, this targeted training will continue with the two pieces in conjunction; simulation, training afterwards. And you'll do that for these targeted groups throughout the year.
Then, at the end of the year, we suggest within a 12-month period, you'll then run another company wide phishing simulation, the purpose of this simulation is to now measure your success. You should see that your users interacting with phishing emails will have gone down, and the number of users in your organization reporting phishing emails has gone up. That is a measurable success for your company, and a measurable decrease in your overall risk.
That's it for this Whiteboard Wednesday, we'll catch you later.