Utility Company Reduces Phishing Susceptibility by More Than 67%

Wombat’s ThreatSim® simulated phishing attacks help to improve security behaviors throughout the organization

The Challenge

A large utility company based in the western US had a problem virtually every organization — those within critical infrastructure and those without — can relate to: end-users who didn’t understand how to recognize phishing attacks.

“The phishing threat wasn’t quite as bad as it is now, but we certainly knew we had an issue,” said the organization’s information security specialist in charge of security awareness and training. “And we knew that the problems were only likely to get worse.”

Thankfully, said the training manager, she and the cybersecurity team were able to get buy-in to kick off a phishing assessment program. “We were quite happy the senior management agreed that we needed to address the issue.”

The Solution

A search began for a suitable platform for delivering and managing the program, as well as measuring the results. “We knew we wanted a tool that would allow us to use multiple [mock phishing] templates and provide comprehensive reporting capabilities,” she said.

Before kicking off the program, the utility’s cybersecurity team communicated to stakeholders and the entire employee base about the impending start of the program and the intent behind it — an approach that is strongly recommended by Wombat, and one that was reflected in the training manager’s independent research.

“We made sure first and foremost that all the stakeholders knew our plans. We initiated meetings with our human resources team, the IT helpdesk manager, and other key

players. We knew it was important to be a good partner,” she said, “and we’ve followed that principle from day one. For example, we still work with the IT group to make sure our simulated attacks are not scheduled for a busy week for the team, because we don’t want to pile on with helpdesk calls and emails.”

Executives weren’t the only ones briefed about the forthcoming activities. “We didn’t want this to come as a surprise to people. We didn’t want to upset anyone unnecessarily,” the training manager said. “That’s not to say that we don’t still have the occasional complaint from our end users, but it helps that we go out of our way to help them understand what we’re doing and the ‘why’ behind the program.”

CASE STUDY

1

Case Study HighlightsProblem

• The utility’s security awareness training team recognized phishing was a growing threat• Initial assessments indicated low end-user awareness of phishing

Results• More than 67% reduction in click rates• Monthly assessments helped drive a company-wide culture of security • Scored 99% on company-wide “avoiding phishing” assessment

Copyright © 2018 Proofpoint Inc.

Monthly Assessments, Increasing Difficulty

The utility decided to use Wombat’s ThreatSim product for monthly simulated phishing attacks, paired with embedded “just-in-time” teaching messages known as Teachable Moments. These messages are triggered when an end user interacts with a mock phish; the simple, engaging messages explain the purpose of the simulated attack and offer tips for recognizing and avoiding future phishing emails.

Wombat recommends that all organizations consider a monthly ThreatSim phishing assessment schedule like the one the utility implemented. This approach allows administrators to test different types of templates, message styles, and threat vectors (malicious links, dangerous attachments, and data entry/credential capture). With monthly simulated attacks and the reporting functions available within ThreatSim, organizations can get an accurate picture of trends over time and more easily identify the types of attacks that employees are most likely to fall for.

One trend the training team noticed fairly early on was that employees were much more inclined to click on and respond to messages that were corporate in nature. “The operational-style mock attacks consistently had higher click rates than other messages we sent. I’m sure it’s because people are looking to be compliant and do the things our company asks them to do,” the training manager said.

Though these types of simulated attacks can leave some employees feeling unsettled, they reflect the challenges of avoiding business email compromise (BEC) attacks. End users must understand that they should not take any unsolicited emails at face value — not even “corporate-looking” communications. The good news is, the utility’s efforts are paying off.

“As our program has matured,” she said, “our end users have gotten much better at spotting these types of phish.”

The utility’s multi-year program has shown consistent improvements, even as the simulated attacks have become more challenging. The training manager has taken advantage of the flexibility of Wombat’s ThreatSim product, which allows programs to evolve naturally over time by giving administrators

the ability to choose templates with increasing levels of difficulty and/or customize messages to address hot-button topics.

“In the past, we made it easier for people to tell it was a phish — by putting in grammatical errors or other more ‘obvious’ signs,” she said. “But as click rates went down, we made an effort to raise the difficulty level with the campaigns we were sending out.”

To check the results, she will occasionally put an “easier” simulated attack into the monthly rotation. “I recently sent out an email that I’m sure, back in the early days of the program, would have had a lot of takers,” she said. “But at this stage, we had hardly any click-throughs.”

Targeted and Seasonal Assessments

The utility’s training team has long stressed the need to develop realistic simulated attacks. They keep an eye on attacks that are happening in the wild, and they use time-sensitive and seasonal simulated phishing emails to mimic the approach that real-world attackers take. They feel this helps prepare their employees to recognize and respond to threats they could very well see within the workplace and in their personal communications.

The organization also uses ThreatSim simulated attacks for targeted training. “We’ve done campaigns around conference registrations and other industry-specific events and topics in order to try to deliver emails that feel like they are a part of our line of business,” the training manager said. “Different topics resonate with different areas of the business, so it’s helpful to be able to customize those messages.”

The customization options available within ThreatSim were particularly useful when the cybersecurity team developed a simulated BEC attack. After a few fraudulent wire fraud transfer messages passed through the utility’s corporate email filters, the training manager decided to do an internal whaling campaign targeting the company’s executives and higher-level managers. While most employees were successfully spotting phishing attacks, the training manager was concerned that the organization could still be susceptible to sophisticated and targeted spear phishing attacks.

2

The training manager has taken advantage of the flexibility of Wombat’s ThreatSim product, which allows programs to evolve naturally over time by

giving administrators the ability to choose templates with increasing levels of difficulty and/or customize

messages to address hot-button topics.

Wombat Security, a division of Proofpoint | wombatsecurity.com | info@wombatsecurity.com | +1 (412) 621-1484 | UK +44 (0) 118 402 9163

3

“We customized the simulated phishing messages for each of the executives,” she said. “Our team went on LinkedIn and used Google to find out the information that was readily accessible out there in the wild, details like the organizations and programs the executives are affiliated with.”

The campaign was very impactful, she said. “We communicated to the recipients in advance that we would be doing a targeted campaign; we didn’t want to blindside them. But even so, the messages were so convincing that we had a fairly high click rate.”

The exercise was a great example of how ThreatSim simulated attacks can be customized and targeted, and how well they can drive home the realities of social engineering. It also reinforced the training manager’s desire to deliver challenging assignments and continually expand her end users’ understanding of what phishing messages look like. After all, attackers — particularly those seeking access to specific people and systems — frequently turn to social media and use credible-looking details to trick unsuspecting recipients.

“We thought and acted the way that attackers are thinking and acting every day,” the training manager said. “It was a valuable lesson for our executives to learn, and a very effective way for them to learn it.”

Implementing Training and Reinforcement to Improve Retention

In addition to phishing assessments, the cybersecurity team incorporates education and reinforcement techniques into their security awareness and training program. These components, which are foundational elements of the Wombat Continuous Training Methodology, help to improve knowledge retention and keep best practices top of mind throughout the year.

That’s not to say there haven’t been challenges around expanding the program to include an educational component in addition to the simulated phishing exercises. “It was hard to get training approved as well, because our executive team didn’t want to add more to people’s plates,” the training manager said. “Ultimately, though, they recognized how important cybersecurity training is.”

To reinforce key cybersecurity messages, the team places posters in common areas, and a section of the company’s website is dedicated to providing information about phishing and email security best practices. They’ve also incorporated

Wombat’s PhishAlarm® email reporting button on their email clients. This tool — which allows employees to report suspicious messages to the organization’s security response team with a single mouse click — gives end users the opportunity to actively participate in threat detection and prevention.

“We’ve had so much good feedback about the PhishAlarm button,” the training manager said. “Our users really like it.”

In addition to using these tools, the cybersecurity team continuously engages with the employee base to build a culture of security awareness. They develop a year-long communication calendar in advance, and deliver cybersecurity awareness topics throughout the year. Also, if the utility is experiencing an active phishing attack, the team sends out an alert via email.

But what’s perhaps most impressive is the organization’s security advocate program, which boasts more than 700 members and offers an effective avenue for dispersing information and creating conversation points. The cybersecurity team regularly connects with the advocates, who then speak with their teams and their colleagues. This approach organically widens the reach of security initiatives and allows for localization and targeting of key security messages.

Measurable Results

The successes of the utility’s security awareness training program go far beyond anecdotal evidence of a more engaged workforce. ThreatSim’s extensive reporting capabilities and the utility’s own performance measurements have allowed the organization to accurately track the metrics related to its monthly simulated attack campaigns and phishing awareness — and the results show significant progress.

Decreased Click Rates and Phishing Susceptibility

The utility’s initial baseline campaign resulted in a 32% click rate. Eighteen months later, the year-to-date average was 10.42%. This 21.58% change in click rates translates to a 67.43% reduction in susceptibility.

The training manager also noted that she’s been able to measure year-over-year improvements on “like” simulations. “We like to do messages that are seasonal in nature, to take advantage of

A customized simulated whaling campaign provided “a valuable lesson

for [the utility’s] executives to learn, and a very effective

way for them to learn it.”

Wombat Security, a division of Proofpoint | wombatsecurity.com | info@wombatsecurity.com | +1 (412) 621-1484 | UK +44 (0) 118 402 9163

the patterns we see in the wild. So we did a simulated shipping notification email, with some variations, for three Decembers in a row,” she said. “The click rates associated with those three attacks — which went from 22% to 15% to 7% — show me that our users are definitely learning and paying attention and making better decisions now than they were when we started.”

Improved Secure Behavior Metrics

The utility participates in an annual enterprise security assessment that evaluates employee behaviors and decision-making processes related to basic technical and cybersecurity safeguards. The survey is sent out to the enterprise, all roles and responsibilities, from senior managers to individual contributors. In total, more than 2,000 people participate in the evaluation. Users are assessed about practices such as copying and emailing sensitive information, sharing and/or writing down passwords, leaving sensitive materials unprotected, and forgetting to lock computer systems when stepping away from their desks.

In addition to these policy-related “yes/no” indicators, the employees are evaluated on their ability to avoid risky behaviors, including clicking on phishing emails. The survey contains questions related to the perception of risk to the organization, such as the tendency to open attachments or click on links for non-business-related emails.

In a company-wide assessment prior to the kick-off of the anti-phishing program, the “avoiding phishing” secure behavior metric was 91%. Three years later, the assessment reflected a significant improvement in decision-making processes, showing a 99% metric for the same behavior.

Kudos and Recognition From Top Executives

The program and its successes have been recognized and discussed at some of the highest levels of the organization. “At a series of recent leadership training events, the president of the company spoke very highly of our phishing program,”

the training manager said. “Some of the meetings had more than 1,000 people in attendance, and he emphasized the impact and the importance of our efforts.

“That level of support from our executive team is really validating. And I know we are lucky, because I hear firsthand that many information

security teams don’t have that support,” she said. “I’m very grateful we have that, because I think the top-down buy-in has really made a difference and helped us be successful.”

Looking Forward

The utility has no plans to cut back on the monthly phishing assessments, and the training manager said she intends to get even more creative and increase the level of challenge for end users.

“We’re helped by the fact that we see it in the news so much,” she said. “On one hand, it’s bad that these phishing attacks are still happening, but on the other hand it continues to prove the need for awareness and training programs of this nature.”

Further, she encourages organizations that have been hesitant to incorporate simulated phishing to rethink their positions. “I know there are organizations that say they don’t want to ‘trick their employees,’ and so they shy away from doing simulated attacks. But all of our executives understand that the easiest and quickest way through all of our technical controls is the human,” she said.

She again emphasized the value of executive buy-in. “Our leaders really do support the cybersecurity team and this program. And that resonates with our employees, because they know if they are hearing it from the top, they need to take it seriously.”

4

“Our executives understand

that the easiest and quickest way

through all of our technical

controls is the human.”

Wombat Security, a division of Proofpoint | wombatsecurity.com | info@wombatsecurity.com | +1 (412) 621-1484 | UK +44 (0) 118 402 9163