The first set of emails were sent from a Gmail account created for the exercise. They contained no identifiable information, and used a basic HTML link to a local IP as the trap. Out of the initial run of a few hundred emails, Berlin said that she managed to get nearly 60 percent of the targets to enter their credentials.
The powers that be viewed the results as proof positive that something should be done about this gap in security, but the program needed to be tuned, and there needed to be a way to track the results. The process took a few months, but eventually Berlin was ready to launch her program officially.
Rewarding those who help:
While the initial test proved that an awareness program was needed, the question of who should be doing the training was the first hurdle. In fact, research showed that there were plenty of vendors available to come in and run an awareness program. However, the cost of hiring someone form the outside was steep, and would put additional pressure on an already taxed budget.
Instead, Berlin explained, the company opted to manage things internally. Moreover, some of the money that would have gone to an external training firm ($1,000) was allocated in order to establish a reward scheme for employees.
"So every time somebody reports a Phishing email, whether it be form me or the outside, they need to forward it to the help desk or call and let us know, so we can actually see the email. If it's a legitimate one, we'll go through the steps to actually block it; otherwise we'll let them know they've been entered into the drawing."
The program allows employees to report legitimate Phishing emails, as well as emails that are sent as part of the ongoing awareness training. In addition, other suspicious electronic activity may also count, such as emails with attachments that the employee didn't expect, but that is determined on a case-by-case basis.
Another interesting aspect to the program is the encouragement to report people who are attempting to access the employee's system that haven't been authorized to do so.
The incentive scheme itself is simple and geared towards the staff's personal interests. There is a monthly drawing for a $20 gift card, followed by a quarterly drawing for a $50 gift card to either Bass Pro Shops or Red Lobster. There is also a yearly grand prize worth $400 in the form of an Amazon gift card.
The financial motivation has helped things tremendously, Berlin noted, as the number of reports focused on legitimate Phishing attacks has "skyrocketed." Even better, the stigma associated with reporting a potential problem, or admitting that an attack was successful, has plummeted to nothing.
Sign up for Computerworld eNewsletters.