Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer discusses the phishing dilemma, ‘Should you phish test users or not during the Covid-19 pandemic?’.
There’s no question, these are challenging times. Employees and organisations around the world are doing their best to keep everyone safe. Plus we are settling in to a new normal for accomplishing work from home. Tensions are high. Fear and uncertainty abound. No one wants to add more stress to an already stressful situation.
Over the past week or so, I’ve seen a few social media postings and had a few discussions with people who believe that organisations should not phish test users during this time. They feel that the best way to practice “socially responsible awareness training” is to provide simple information-based awareness training and abstain from phish testing. Thoughts like this may be well-intended; but I believe that they are wrong. Here’s why:
Cybercriminals are ramping-up their real attacks right now. This brand-new graph shows the exponential growth of new COVID-19 malicious phishing templates:
So, it is super-important to keep our end-users on their toes. In fact, because cybercriminals are in a COVID-19 feeding frenzy, I’ll be bold enough to say that *not* conducting phishing training during this time amounts to negligence. Cybercriminals prey on stress, distraction, urgency, curiosity, and fear. Not only that, they are also bringing that full force against your end-users and your organisation.
That being said, I totally understand where people are coming from when they feel hesitant to phish test users during this COVID-19 pandemic. Organisations don’t want to add additional stress to their people. They are afraid that they may make employees feel confused or alienated. Totally understandable… and totally addressable. The key factors: your tone and your process.
I’ll address tone first because I believe it is the single most important piece to getting this right. I’ve outlined the critical importance of tone before on webinars, in conference sessions, and in my book. But, because tone is so much easier to feel than to describe, I’ll use a video example.
This is from a COVID-19 awareness project that I kicked-off with. It is designed specifically to help security awareness leaders conduct critical phish testing in a way that feels caring and compassionate. Have a look and hopefully you’ll get a feel for what I mean. This is a pre-campaign message for customers to send to their end-users:
There are a few key aspects that resonate through the videos in this series. In essence, those come down to:
- Open with compassion and understanding: Things are new and different. We get it.
- Explain the situation: The COVID-19 situation opens-up new work from home risks and cybercriminals are taking advantage of it.
- Outline our responsibility: As a result, we all need to be more vigilant.
- Say what we are doing: One of the ways we plan to do that is to send out simulated phishing tests.
- Describe the intended outcome: The intent isn’t to trick anyone, shame anyone, or so on. It is to help us build secure reflexes.
- Provide advice and direction: Cybercriminals are relying on distraction, stress, and panic. So, anytime you see anything related to COVID-19 in your inbox, always evaluate it with a sense of scepticism. Report suspected phish.
- Close with a sense of community: “Keep Calm and Don’t Click. We’re all in this together.”
The other key factor that you need to think about is process. Because we’ve entered a ‘new normal,’ you should send out a fresh message to your users letting them know that cybercriminals are having a heyday with COVID-19. And because of this, you are going to help prepare your people for what’s coming.
In essence, your process should be the following:
- Warn your people about the scams: Provide timely information about how cybercriminals are using this stressful time to their advantage.
- Tell them that you are going to help prepare them by sending COVID-19 and other simulations. If you are a KnowBe4 customer, you can use the pre-campaign video from the series I described above. If not, you can create your own message based on the formula that I outlined. Remember: tone is key!
- Ramp up testing to increase vigilance
- Consider using a failure landing page with a video that explains how cybercriminals are using COVID-19 right now to capitalise on the situation. This needs to be encouraging. If you are a KnowBe4 customer, you can use the post-click video from the series I described above. If not, you can create your own message based on the formula I outlined. A key message here is something like, “Oops, you clicked… Don’t worry, this wasn’t a real phishing email. You’re safe and our organisation is safe. But beware, cybercriminals are using all of the news, panic, and disorientation around COVID-19 as a way to trick people into clicking on malicious links, open sketchy attachments, accidentally give away login/password info, and more. Your job is to be super-sceptical of any email that evokes strong emotion (fear, urgency, and so on)… especially if the email is related to COVID-19.”
- Reinforce vigilance with consistent encouraging messaging. (e.g. “Keep Calm and Don’t Click. We’re all in this together.”)
I hope this was helpful for you when deciding whether to phish test your users during this COVID-19 pandemic. To summarise, when you engage your employees with the right message and tone, there is nothing to fear. In fact, they will feel a sense of pride in helping protect the organisation. That’s all for now. “Keep Calm and Don’t Click. We’re all in this together.”
Finally, for KnowBe4 customers, we have a full campaign ready for you. It consists of a video for the KnowBe4 Platform Admin, one video to announce the campaign to your users, and a video that lives on the landing page after they clicked on your COVID simulated phishing test.
Call us on 01628 362 784 if you have any questions on how to set up this campaign and we will get you going.
Additionally, we also have coronavirus phishing and security awareness resources to help keep your network secure while users are working from home.