Phishing sent through emails is the most common form of cyber attack because it is easy to pull off. And the high level of digital connectivity in every business today, opens organisations to attacks. Every Chief Information Security Officer has reason to fear a phishing attack because through it, cybercriminals can steal company or personal data, delete files and even deploy ransomware.

The economic loss can be great. Last year, a Microsoft report showed that such attacks can cause organisations in the Asia-Pacific to lose a staggering US$1.745 trillion.

One way to create greater awareness of phishing is through simulation, that is, conducting phishing drills among users. It is a way to teach them to recognise different phishing scams so as to reduce the success rate and lessen impact of such attacks.  

For the last six years, the National University of Singapore (NUS) has been using phishing drills in combination with user education. Periodically, phishing drills are sent out to its large student body of 38,000 as well as 14,000 academic staff members. Ang Leong Boon, Head of NUS IT Security, shared the University’s experience of running this programme in a technical session on Day 2 of RSA Conference 2019 Asia Pacific & Japan called Designing Effective Phishing Simulation Drills.

To ensure the success of phishing drills, the target audience must be properly identified, he said.  Students form a young user base while the lecturers are much older, so the phishing emails have to be phrased differently. 

Next decide on phishing techniques. Is the phishing email aimed to bait the user to give up his password, or to click on a file so that a malware can be downloaded? Relevant training material must also be shared before, during and after the drill so that learning points can be raised and instilled.

Ang said for drills to be effective, it must be repeated. But frequency is an issue, too often leads to fatigue while too few will not create top of mind recall. After the drill, there must be feedback so that users know the outcome of such simulations. Schedule drills on Monday mornings when users are less alert after a relaxing weekend. Avoid Friday afternoons because users preparing for the weekend are less likely to look at their emails. 

A good tip: send out the simulations in batches rather than all at once, so that no one leaks that a drill is underway. Determine how long the drill stays “open.” Experience shows that the number of users opening the email drops after two days. So NUS stops the drill at the end of two days. 

Naturally there will be users who do fall prey to the simulated phishing. Their department heads are notified. It is mandatory for repeat “failures” to attend “remedial” anti-phishing class. The simulations are sent to them again,  but they are incentivised to “pass” with gift cards.

Ang’s session was a good, every seat in the seminar room was filled. Phishing drills reinforce cyber resilience and it should be an exercise that every organisation must do to get prepared. After all, it is no longer a question of if your organisation will be breached, it is when it will be attacked. 

Contributors: