When I was speaking at a Security conference this summer I talked about a campaign we’ve been running at HMRC to raise awareness of the threat of phishing attacks. I'd like to share the approach we used – it was not only engaging, but also provided us with a wealth of management data that helped us measure the effectiveness of the programme and reassess our vulnerability.
Increasing user awareness about the nature of security threats is vitally important, but finding a way of delivering key learning messages that genuinely engage people isn't always that easy to do. Also, measuring the success of awareness campaigns can be fraught with difficulty because awareness levels aren't that easy to quantify.
In our 'Think Before You Click' campaign we worked closely with a supplier to develop the key learning points for the campaign and deliver them in a fresh and appealing way. We published a series of articles on our intranet to deliver practical guidance and tips to help staff identify phishing emails. We stressed the importance of developing good cyber habits both at home and in the workplace and encouraged staff to share the advice provided with family and friends.
We also developed a short learning product that used animation and cartoon characters to illustrate a spear phishing attack from both the victim's and the cyber criminal's perspectives. In it we delivered serious messages in a light hearted and fun way. The learning was available to users from our learning library via self-service in the traditional way, but in addition we delivered the learning in a far more targeted and innovative way that enabled us to identify the highest risk users.
We sent staff a series of emails that replicated real phishing attacks. In one of the most ‘clicked’ examples, users were sent an imitation invite to a Royal Garden Party. This approach allowed users to experience first-hand the type of tactics currently used by cyber criminals but in a safe and controlled environment. Users that clicked on a link in the simulations were directed to the learning product. We used the data from the phishing simulation exercises to quantify both pre and post-campaign awareness levels. We issued 130,000 simulation emails over a period of six weeks. Each week we saw the number of people clicking on links reducing as awareness grew, down by as much as 26% cent in the 6th week. More than 4000 staff have completed our online training.
The campaign, particularly the use of phishing simulations, generated a high level of user feedback and the discussions that took place really helped to embed some of the key learning points. We are currently reviewing the management information from the campaign but in view of its success we are keen to expand further on the phishing simulation approach used.
Are you looking to run a similar campaign? Can you share your experience on how security education can be delivered in an innovative way that engages the user? Please share your ideas with me, either by commenting on this blog or by emailing me at firstname.lastname@example.org.