In the war against nefarious uses of the Internet, the human firewall is our only hope. The fate of the Republic is in your hands, literally, in your index finger. What, you think this language is too exalted? Read on:
Phishing is epidemic; it’s the most successful way to initiate a high-tech attack against an organization or a low-tech social engineering attack – both of which can result in equal amounts of destructive success. Unfortunately, there is only so much technology we can put in place to prevent phishing. Firewalls and email filters can only go so far. As Princess Leia said to Obi Wan Kenobi in a hologram projected by RD-D2 that Luke Skywalker saw, you, the end user, are truly our only hope. Our last and final defense is the end user, sitting in front of their computer, with their index finger on the mouse button. That is the human firewall.
The end user poised to click or not to click must be trained and educated on the dangers of phishing emails and scams. The challenge is how, how do you train new employees to veteran employees on the dangers of careless clicking and taking the bait. How does a mother fish train her baby fish not to take the bait with the hook embedded in it? How many fish getting drug through the water by their lips do other fish need to see to realize the tasty bait isn’t worth the risk? The same is true for us. Perhaps less folks would click on phishing emails if they were drug across the office by their lips.
A survey by the Pew Research Center in June of 2019 revealed just how much training is needed. Pew surveyed Americans about several digital topics and the results validated what the phishing evidence already proved. 49% of those surveyed did not know https:// in a URL means a site is encrypted. Only 67% knew phishing scams can occur on social media, websites, email, or text messages. And frighteningly only 28% can identify an example of true two-factor authentication through an image -this is clicking all the pictures of a stoplight kind of thing. We have our work cut out for us.
Training the end user must become as important a priority as maintaining firewall subscriptions and support. It can no longer be an option, nor can assuming everyone knows what they are doing and will only click the right things. Fortunately, there are resources to not only train, but to also test and hold your users accountable for their clicks. Enter KnowBe4.
(Full disclosure: I make no money on recommending products like KnowBe4 and I don’t often do product or service reviews but the concept behind KnowBe4 is what matters to me. We must train the end user: the human firewall. Whether you use KnowBe4 or another service the key is making sure end user training and accountability are a priority in your organization and an investment you are willing to make.)
KnowBe4 allows you to setup training campaigns where phish your own users and then record the results. Phishing campaigns can be customized to best fit your organization. As users fail these tests, they are then asked to watch a video or read a training article. KnowBe4 provides hours of video training and countless courses your users can self-study through. There are even 10-minute sitcom like shows teaching various online security concepts. Here is how I deployed KnowBe4.
First, we did some baseline tests where we would send phishing emails to our users but if they clicked, they would not get anything but a blank web page. This allowed us to discretely set a benchmark for how prone we were to phishing failures. Once we had the baseline, we rolled out our plan. We do 3 phishing tests each week. One is on current events, one is on the latest scams, and one is targeted specifically at social media attacks. Again, you can customize all of this.
When you fail a phishing test, upon clicking the link you are taken to a customized STOP page bearing our logo and explains why you failed the test. The STOP page describes common things to look for in a phishing email. All STOP pages can be fully customized. You can also create pages to look like your Office 365 or other services login page. These pages can record any data entered so you not only know who clicked but what they typed into the bogus forms. But I digress.
The first failure is a free pass. If you fail a second phishing test you are put into a sort of email purgatory where you are reminded every day to watch a short 3-5 minute training video. KnowBe4 keeps track of who has completed their assignments. If you don’t complete your training the email reminders increase in frequency.
Upon a third failure your training assignment increases to 20 minutes and your reminders to complete you training are only 6 hours apart. If you fail a fourth time, your supervisor is going to get involved. Everyone will fail, the phishing attacks are getting so good even the best will fall, but having a continuing, ongoing training program is critical to staying safe. As employees turnover new employees are immediately included in the testing. This kind of training cannot be one and done.
You will quickly find where your employees are most susceptible to fail. We have found phishes threatening to take away Facebook access and promises of free money get the most clicks – so we target those scams. We also work hard to try to trick folks into giving out their login credentials as we want our users constantly reminded not to give their login credentials to anyone for any reason.
Ongoing training also helps bridge the generational gaps between many of our employees and even volunteers. Millennials grew up with technology and are far too trusting. Baby Boomers are still trying to figure this out, they grew up not having to lock their doors and now are being told trust no one. It’s like moving from Mayberry to the big city.
The human firewall is our only hope. Whether you use a product like KnowBe4 or something else, your organization needs to be doing this kind of training. Without it I’m convinced I could stay home, never leave the house, never have to comb my hair, and make a very good living hacking thanks to folks clicking on phishing emails.
KnowBe4 is reasonably priced and cheaper than subscriptions for most firewall and email filtering services. Costs are based on number of users and they even offer a significant discount for churches and ministries.
The fate of the Republic is in your hands, literally, in your index finger.
Jonathan Smith is an author, conference speaker, and the Director of Technology at Faith Ministries in Lafayette, IN. You can reach Jonathan at firstname.lastname@example.org and follow him on Twitter @JonathanESmith.