author photo
By SecureWorld News Team
Mon | Dec 9, 2019 | 6:30 AM PST

We've written quite a bit about how to measure the success of your cybersecurity awareness program.

And a recent SecureWorld web conference focused on Building an Effective Security Awareness Program.

But how do you know when specific employees are failing at the security awareness program you have put into place?

Many organizations rely on security awareness tests to objectively see how many on the staff are susceptible to social engineering threats that reach them through email, text, voicemail, and even USB.

10 security awareness test failures: the list 

If an employee is repeatedly doing any of the following during testing, your security awareness message is not getting through to them:

  1. Clicking on a URL or button within a phishing test

    Falling for this trick in testing reveals your employee is vulnerable to all types of real-world phishing attacks, such as fake shipping invoices which are prevalent now. In this fake Amazon shipping invoice, you can imagine the temptation an employee might feel to see if they are really being shipped a package worth $1,526 with a free iMac inside. 

    fake-amazon-track-package-email-image
    Click to expand and you'll see that virtually everything in the email looks just like it came from Amazon except the sender field.

    Here's another real-world example of URL social engineering, from hackers impersonating Barclays Bank. It includes a link to click which makes no sense. Why would you click on the time the "employee" is leaving? A member of your company's team who has failed testing in this area may click this curious link just to find out what it means.

    phishing-email-barclays-bank
  2. Replying with any type of information to a phishing test
  3. Opening an attachment that arrives as part of a phishing test

    According to the security awareness training experts at KnowBe4, the only safe file type to click on is .TXT (that's the one saying "YES!" on the screen below).
    safe-file-types-knowbe4The "poof" in this image happened when the person in the training session chose .PDF as a file type that was safe to open. Anything not expected is suspect and could be carrying malware, except for .TXT.
  4. Enabling macros that are within an attachment as part of a test

    If an employee not only opens an attachment but then says yes when the document asks about enabling macros, that's a very concerning sign. Macros automate frequently-used tasks, but in real world attacks, they automate the introduction of what Microsoft calls the "destructive macro" which can spread a virus. 
  5. Failure to complete required training within the time allotted

    A city leader in the United States refused to do security awareness training by the deadline, and the city's IT director shut down his email.

    Security_Awareness_Training_-_Labeled_for_Reuse

    See more: Reckless? City Bans Leader from Email After He Refuses Security Awareness Training. What is your policy in this area?
  6. Allowing exploit code to run as part of a phishing test
  7. Entering any data within a landing page as part of a phishing test

    Falling for this trick indicates an employee who would not only click an untrustworthy link but would also fall for a spoofed website in a real attack.

    Avoiding this social engineering effort is crucial since many spoofed websites look like the real thing. This 2019 Apple Account Verification page (below) is a sleek fake designed to harvest all kinds of information from those who fall for it. It even has a picture of "Our Security Team Online" with big smiles. Who wouldn't trust them?
    apple-site-fake-verification
    Click the image to expand and check out the actual domain address, which clearly is not Apple's.
  8. Transmitting any information as part of a vishing test

    In the real world, this type of attack moves the social engineering and manipulation tactics from email (phishing) to voice or voicemail (vishing). Here is an example:
    knowbe4-phishing-example-1
  9. Replying with any information to a smishing test

    SMS phishing, called smishing, is a text message designed to socially engineer you. If an employee repeatedly fails one of these they may not understand the threat.

    In the real world, this is what a smishing attempt can look like:

    apple-care-phishing
    One of the SecureWorld conference team members recently received this message, claiming to be from Apple Care.

    Notice the message at the bottom. It says, "Your iPhone has been locked due to detected illegal activity." This smishing attack also popped up an alleged support number to call, forcing you to make a sudden decision: do I click or call, or not?
  10. Plugging in a USB stick or removable drive as part of a social engineering exercise

Quote_DLP_USBs_anonymous

Some in security circles are not fans of USB devices, and we hear about this at our regional cybersecurity conferences. Research shows that cyber attacks initiated by infected USBs are rare but continue to happen against high-value targets. Going after Trump's Mar-a-Lago resort with malware on a thumb drive is just one example.

When employees repeatedly fail a security awareness test, what next?

When employees repeatedly fail, there are some extreme ideas on next steps.

Those ideas range from punishment up to termination, on one side, to never letting discussions about failures go beyond a chat with a person's direct supervisor, on the other side.

To hear from security leaders on different sides of this debate, read Consequences or Counseling? Employees Who Repeat Bad Security Behavior.

Are there other security awareness test failures?

Within your experience, are there other signs or examples that your employees are failing to grasp your security awareness message? And if so, what type of follow-ups make sense?

Please share your thoughts in the comments section below.

Comments