American Express struggled to convey security risks. Campaigns vacillated between wordy flyers and generic posters asking, "are you the weakest link?"
Messaging focused on what not to do in security, detailing exact legal codes to follow, said Chrysanthe Cupone, Manager, Information Security at American Express Company, speaking last week at the Gartner Security and Risk Management Summit in National Harbor, Maryland.
An environment lecturing employees about wrongdoings instead of showing what success looks like failed to create a culture of security awareness. The messaging did little for prevention.
Financial services organizations operate in an atmosphere of heightened security, where risk and compliance are well understood. Personal sensitive information is at stake, including financial data. Even though employees and users understand why security and risk policies are in place, enforcement is difficult.
Prevention is necessary, however. One successful phishing campaign could wreak havoc.
Cupone worked with the chief information officer to launch a phishing consequence management program in September 2015.
Failed phishing attempts were no longer abstract; they carried a consequence — the "stick" approach to security training.
A first failure held no consequences and navigated users to an education page.
After the second failure, users were assigned mandatory training.
If a user had a third failure, American Express required them to get coaching.
The coaching sessions had an "embarrassing factor," Cupone said. They were effective, though a little uncomfortable.
Once American Express started throwing out phishing consequences, people heard about the program. Support from the business units aided success and teams began reaching out to Cupone for small group trainings.
The phishing program spurred talk about information security across the business, Cupone said. Mainly, people were focused on phishing training so they did not have their habits — high phish failure rates — reported.
Eliminating easy targets
Successful phishing prevention programs are fed by the overall culture, tone and risk profile of a company.
If a company is going to use consequences as part of its program, it has to be consistent with its culture, tone and enforcement, Perry Carpenter, KnowBe4's chief evangelist and strategy officer, told CIO Dive.
If companies are going to make a hardline on failing phishing tests, it has to have the same consequences for line of business employees and executives, he said. Companies don't want to create a class system of consequences.
There is an exception: Not all users are created equal, particularly those with heightened system access.
At American Express, if a technology contractor failed a phishing test a third time, there was no coaching, Cupone said. The contractor was removed from the contract, largely because they were privileged access users.
It required a lot of political savviness to work with the company's vendor partners on this, Cupone said.
Change over time
New phishing threats are emerging, hiding attacks that even the most diligent would not catch.
Phishing emails can come in without links or attachments, instead relying on social engineering. Next generation threats require businesses to change training.
Companies have to train employees to look out for fear, greed, authority or emails that appear urgent, Carpenter said. "The attacks change but the human psychology is the same."
By 2018, buzz about consequences had subsided, but phishing paved the way for American Express to add more to the security culture. Cupone turned attention to other security trainings, programs without "sticks" to enforce compliance.
Negative consequences have a limited lifespan, but there is a benefit to having "or else" at the end of things, Carpenter said.
In 2017, the theme at American Express became voluntary training, with specific attention on privileged access user training, which was presented as a simulation.
Last year, Cupone worked to redesign resource pages to keep communication flowing between security and the business. People wanted to know how to avoid consequences, rather than "what" users should or should not be doing.
American Express added rewards, Cupone said, which incentivize reporting phishing schemes. The company also published the latest and greatest phishing threats.