BEST PRACTICES: Mock phishing attacks prep employees to avoid being socially engineered

By Byron V. Acohido

Defending a company network is a dynamic, multi-faceted challenge that continues to rise in complexity, year after year after year.

Related: Why diversity in training is a good thing.

Yet there is a single point of failure common to just about all network break-ins: humans.

Social engineering, especially phishing, continues to trigger the vast majority of breach attempts. Despite billions of dollars spent on the latest, greatest antivirus suites, firewalls and intrusion detection systems, enterprises continue to suffer breaches that can be traced back to the actions of a single, unsuspecting employee.

In 2015, penetration tester Oliver Münchow was asked by a Swiss bank to come up with a better way to test and educate bank employees so that passwords never left the network perimeter. He came up with a new approach to testing and training the bank’s employees – and the basis for a new company, LucySecurity.

Lucy’s’s software allows companies to easily set-up customizable mock attacks to test employees’ readiness to avoid phishing, ransomware and other attacks with a social engineering component. I had the chance at RSA 2019 to sit down with Lucy CEO Colin Bastable, to discuss the wider context. You can listen to the full interview via the accompanying podcast. Here are key takeaways:

Human culprits


Humans, even well-intentioned ones, can be impatient, even rebellious, at times. We’re easily distracted and we cling to our bad habits. What’s more, in the internet-centric, consumer-driven world we live in, the lines between work-related duties and personal pursuits, which we increasingly access via our mobile devices, have become hopelessly blurred.

In short, it’s a perfect environment for cybercriminals to gather intelligence about us, then craft creative ruses to trick victims into installing malware that gives them a foothold. This is stunning: phishing attacks soared in 2018, rising 250% between January and December, according to Microsoft’s Security Intelligence Report.

A common tactic phishers relied on involved moving through multiple points of attacks during the same campaign. For instance, they’d switch between URLs, domains, and servers to send malware-bearing emails and to host malicious phishing forms. And they also increasingly leveraged hosted servers and public cloud tools, thus adding to their stealth factor.

Rudimentary training in which employees are required to periodically sit through a mandatory  lecture on the dangers of phishing simply are not cutting it in this environment, and more organizations, like the Swiss bank, are coming to that realization. “People tend to be very resistant to training,” Bastable told me. “And some of the worst culprits are the very technically savvy people – the security guys are often the worst because they’re very resistant to being told what to do.”

Promising metrics

Since its launch in March 2015, Lucy has grown to 23 employees, with zero outside funding. It is headquartered in Zurich, with a U.S office in Austin, TX. Its flagship product is in use in 60 countries, with more than 6 million employees trained. Customers in financial services, energy, government, healthcare and manufacturing sectors are using its testing and training modules.

The company set out to drive down the cost of employee training, while improving its effectiveness in a measurable way. Bastable told me that it is very typical for 20 percent of an organization’s work force to be highly susceptible to being socially engineered.

“They have a high propensity to make the wrong decision repeatedly,” he said. “But if you work with them, continually and consistently, and you strategically run multiple scenarios at them, followed up by training, you can really make them better.”

How much better? “The metrics show you can drive down the number of risky employees from 20 percent to 5 percent,” said Bastable. “But as soon as you stop, the number quickly goes back up.”

It makes sense that training is moving in this direction, putting granular, ongoing responsibility in the hands of companies to administer, monitor and tweak over time. Bastable reports that Lucy’s customers don’t seem to mind.

“The great majority of our customers love being in control,“ Bastable said. “This is a very creative tool. And they get to keep the information in-house, so no one else is learning of the vulnerabilities of individuals or departments, and the company is able to have metrics they can address.”

Social engineering attacks are here to stay, and cyber criminals can be counted on to continually innovate. It’s encouraging to see the good guys keeping pace. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone