Shortly after joining Bullhorn, CEO Art Papas called me in for a one-on-one. He was interested in how I viewed Bullhorn’s security posture and what my plans were for implementing the changes needed. Every new CISO loves this opportunity. When the CEO is interested in your program, you have an ally, and for all the expertise involved in cyber defense, it’s a team sport. Without support from top levels, meaningful change is incredibly difficult.
It didn’t take long for me to realize that while what I was saying was resonating, Art had something on his mind. Then he asked me, “What about phishing? I know of some really bad situations other companies have gotten into, and I want Bullhorn to be ready.”
What Art understood — and what every business leader needs to know — is that the weakest link in security is the employee. Humans make mistakes. They are trusting, and when they receive an email, text message or phone call from someone with a plausible story and a need, their inclination is to help. Preying on this “weakness” is key to social engineering, and there is only one proven way to counteract this: training and enforcement.
You might think, “But I spend a lot of money on technology to stop these attacks.” Most companies that are victims of phishing attacks have that technology, but the reality is that some slip through. When they do, the company is completely reliant on their employees to recognize and deal with phishing emails correctly. When Bullhorn started our Phishing Simulation program, the failure rate across all industries was 15-20%, and last year, it was pegged at 12%. That means for every nine phishing emails that get through, one successful attack is likely.
Our Phishing Simulation program is part of a companywide education and testing program. Employees take security awareness training at least annually, which covers everything from social engineering to handling customer data properly.
For enforcement, every employee gets a phishing test email monthly. Those who fail are enrolled in training, and meeting with me is often required depending on how critical their access or role is. Executive involvement and the inclusion of their direct manager emphasizes the seriousness of the program and has proven very effective. These meetings are common because we want to reduce our failure rate to 2-5%. Over time, we’ve increased the difficulty many times to build a sophisticated workforce and minimize our risk in this space.
PREMIUM CONTENT: Most Complex Contingent Markets Globally 2024
I rarely see this kind of program implemented, and I myself have struggled to put it in place in previous roles. I occasionally succeeded in doing an annual test, but the pushback was enormous — I have often heard excuses like “It’s too time intensive,” “It intimidates the employees,” and the most popular, “People will be scared to open any email and business will suffer.” These could be potential outcomes if the program isn’t built the right way, but Bullhorn’s experience is that none of them are true.
So why has Bullhorn’s approach worked? A few reasons:
- The educational aim of the program is heavily emphasized.
- We focus on arming our employees with tools they can use anywhere, including in their personal lives.
- We train them on the right processes for reporting possible phishing.
- Those on our leadership team, from Art all the way down, speak about and participate in the program.
- The security team invites feedback and encourages employee interaction — like I said, it’s a team sport.
The program is one of many layers of security at Bullhorn, but it’s the one every employee knows about. Many enjoy the challenge and openly talk about the “tricky” test they identified with pride. It’s closed the distance between our customer-focused employees and the security team, which at many companies rarely interact outside of infrastructure teams. Now, when I talk about security being everyone’s job, rather than ring hollow, the message has meaning for everyone. And crucially, our risk has been significantly reduced.
I encourage other organizations to follow our example. Embrace the benefits of this type of program — you won’t regret it.