ESRM Blog 2020

Do you know when to click?

Our UK Enterprise Security and Risk management Virtual Conference was held on the 3rd of November. During this event, our industry partners had the opportunity to build their client base and guest speakers were able to share their personal and professional opinions about their organisational roles and responsibilities. Furthermore, delegates were able to network, debate and collaborate in a virtual setting, which overall projected a positive atmosphere for everyone involved.

We will now recap the insights of one of the outstanding presentations.

Phishing Simulation Gone Wrong

Denise Beardon, Head of Information Security Engagement, Pinsent Masons 

Hannah Tufts, Cyber Security Awareness Specialist, Pinsent Masons

In 2017 Pinsent Mason experienced the worst click rate in their history.  Rather than a genuine attack, the phishing simulation was a well-crafted and designed exercise to catch people out. Without giving statistics, Denise enlightened us of this particularly convincing HMRC phishing email which was sent out at the same time as the end of year tax returns were due. This led to a complete meltdown of both their IT service desk and their payroll department. Although the IT services desk was fully aware and preparations were in place, they were still overloaded with a vast number of queries.

Once the employees became aware of how significant the click rate was, everyone fell out with information security. Whilst you could argue that on one hand, they were trying out a real-life scenario of a phishing email gone viral and, despite having put in additional resources to support employee response, what caused a lasting impact was the sense of having been duped.. .  This, along with the realisation that people did not really learn anything from the phishing simulation only that it was a gross inconvenience, led to the rejection of future phishing simulation by the IT services.

The ‘Positive’ Strategy

By looking back on the previous phishing simulation, Pinsent Mason wanted to create a more positive approach and came up with two steps to achieve this. The first was that they needed to stop making people feeling guilty about clicking. This was a vital step because people began to lose confidence in their ability to spot phishing emails. The second step was to turn the learning into a positive experience and use a common language which isn’t bogged down in cyber-specific technicalities.

To make sure they were successful in achieving this positive experience, Hannah explains that they chose to empower partners and employees on an individual level. In this case with insights gained from neurological studies explaining to them why we are all at risk of falling for phishing emails. In addition, they chose only to focus on positive behaviour which resulted in publishing or rewarding their good behaviour. This meant that Pinsent could socialise the phishing button and make sure people knew where it was. It was stated that the objective was not to catch people out but that it was to share with them the reasons why they might click on the link.

Introducing 3 Of Our So-Called Happy Hormones

  • Dopamine – the hormone that seeks reward
  • Serotonin – the hormone that wants us to achieve higher social status
  • Oxytocin – the hormone that wants us to be liked

These hormones are generated by our ancient limbic system and have evolved over  150 million years. Our very survival is linked to these powerful hormones. However, as times have changed and evolution takes place, our dopamine has changed from finding hunting for survival as a reward to now feeling as though it is rewarding to receive an email or a notification on an electronic device. Unfortunately, cybercriminals figured this out a long time ago, resulting in them being able to take advantage of using social engines.

How do we fight this?

Nero-science shows that no one is immune to phishing. The only effective way to acknowledge if a phishing email is present in your inbox is to follow these steps:

  1. Think twice. If there is an email from an unknown sender, you should take care when opening the email.
  2. Expand the sender’s details. Be aware that there may be no information.
  3. Hover over links. Make sure you know where the link will take you.
  4. If there any of the above is alarming, you should report the email.

Remember ESRM UK will remain open till the 3rd of December 2020, so please check it out if you have not already by clicking the link below.

We hope to see you all again next year at ESRM UK, March 2021