Repeat the mantra: What is the biggest network security liability at any organization? The user!

Security experts time and again emphasize how educating users with anti-phishing training safeguards company data better than any hardware can. In our own customer surveys, social engineering vulnerabilities are cited most often as the greatest security risk for their organizations.

A company might spend hundreds or thousands of dollars on firewalls, security appliances, and software for endpoint protection only to watch the ROI fly out the window when a user clicks a dodgy e-mail or IM, or is tricked into disclosing credentials in a so-called spear phishing attack.

Our data indicates that for every company that is actively conducting anti-phishing user training, another has no program in place at all. Why might this be? Lack of resources is the likely culprit; using a third party service to conduct user training is not a small investment.

This is something that Rocky Lott, a one-man IT shop for a medium-sized Texas logistics company, learned while shopping for user training last year. “I researched several options that would allow us a free trial, but none that were even close to being in our budget as a permanent solution,” he says. So, like any good Texas IT pro would, he built his own anti-phishing server with free open source applications and did it himself.

Lott shared with me how he put the anti-phishing training program together, and the metrics he uses to show the effectiveness of the program—which are yielding great results for the company. (Scroll down for the documentation)

Hi Rocky. Briefly tell me about nature of your business and the sensitive data you’re protecting?

We are a transportation company, moving everything from frack sand to chicken breasts. The protected data is all the communication with our customers, financial agreements passed back and forth, as well as rate information, and, of course, our actual customer agreements and information. We store employee information and do in-house payroll. All of this information is valuable—you’re talking hundreds of social security numbers and tons of financial records for the company.

How does that break down in terms of users and endpoints?

We currently have about 50 office employees and 200 drivers. There are approximately 70 PCs and laptops in service; nine virtual servers running on a three-node hyper-converged cluster, and two office locations currently. All of our devices are relatively new; none older than four years and we have quite a few employees that work remotely. We use McLeod dispatching software which has to be accessible from any device and, of course, run an in-house Exchange. All of this means that security has to be tight.

What security solutions did you have in place to begin with?

We use Fortigate UTM devices as our gateway at each location. This allows me to have site-to-site VPN and SSL-VPN support for secure remote access. We have cloud managed AV on all the machines, and LogMeIn remote access software for remote support. Remote workers use the FortiClient software to connect an SSL-VPN session to the office.

What prompted you to start looking at anti-phishing training for your users?

It seemed like phishing e-mail occurrence had picked up recently. Our users were receiving an average of one or two a month; then it went to about five or six a week. I’d get phone calls about many of these, but it made me wonder if some were slipping through the cracks.

What specific features did you want from an anti-phishing training solution?

Mainly I wanted something that I could custom build templates. With that I could test to ensure that [test e-mails] made it past our initial spam filter in the firewall and Exchange spam filters. I also wanted to be able to track who had and hadn’t received the e-mail and whether or not they had clicked on links within the e-mail. I wanted to push users to some online training once they clicked on a link in the e-mail or filled out a form.

Your DIY setup and documentation [see below] is pretty remarkable. What kind of technical know-how is needed for putting a similar solution in place?

I used a free image from TurnKey Linux, a free hypervisor from VMWare and a free open-source project called SPToolkit. The installs of all of these are fairly straight-forward and I’ve written a how-to on setting up the SPToolkit project using the latest version from GitHub. Basically, if you have a machine that you can install the Linux image onto, and a free afternoon, you too can have your very own in-house phishing server.

What did you learn about your users after the first round of testing?

I learned that although I had a pretty good group of people to work with, their phishing awareness was pretty low. That first test ended up being 37% click-through.

How are you communicating phishing awareness tips with users?

Whenever I hear about a new type of phishing campaign being used, there are celebrity deaths or other large community happenings on Facebook etc., I’ll send out a warning e-mail to my users letting them know to watch what they click on. Phishers love using current topics to entice clicks, i.e. click here to listen to Prince’s dying words.

You mentioned testing is conducted quarterly. What metrics do you use to track effectiveness? How’s the program going?

We started with a 37% click-through rate as I mentioned. When I rebuilt my phishing box to write up the how-to, we had about 25% click-through. After a few more tests we’re down to about 8%—that’s an 80% reduction in clicks on possibly infected emails. I’ll take that.

The cool thing about the SPToolkit is that once the user clicked a link in the e-mail, they were taken to a video about phishing and how damaging it can be. There was also an acknowledgement that they had been phished and an agreement to be more careful in the future.

See Rocky’s step-by-step documentation for setting up the anti-phishing training server

Related content:

Thanks to Rocky Lott for sharing his DIY anti-phishing training expertise.