Since 2015, in at least three instances, third parties have illegally gained access to sensitive data via targeted phishing attacks on employee email accounts in workers’ compensation funds, and experts believe future attacks are inevitable.

Phishing takes the form of deceptive emails attempting to trick recipients into disclosing sensitive or confidential information, opening an infected attachment or clicking on a compromised web link. Sometimes the phishing email address is purposely created to look like it is from a legitimate or known email account.

In 2016, Pinnacol Assurance identified a cybersecurity risk when nearly 40% of employees took the bait and failed to recognize and report a mock phishing attack deployed by the company’s cybersecurity team as a baseline test. Employees needed help to recognize increasingly sophisticated phishing scams and help mitigate potentially devastating business consequences.

What’s on the line?

The legal and financial liabilities of cyberattacks are just one way businesses can be impacted. Companies in workers’ compensation handle especially sensitive data (medical records, including information about current and past conditions, treatments, payroll data, Social Security numbers, etc.) and must manage both confidential and non-confidential data appropriately.

Pinnacol’s networks house vast amounts of customer data, and keeping that data secure is part of Pinnacol’s commitment to caring for its customers.

Although data breach and cyber liability insurance covers some financial liability, consumer confidence and brand reputation is also on the line.

When it came to phishing, relying on technology protections like email filters and network firewalls wasn’t enough. Employees needed to be engaged as the first line of defense against phishing.

A school of colleagues get on board

To tackle the phishing problem, Pinnacol’s IT team partnered with communications colleagues. While some companies use policies and disciplinary action to manage phishing risk, the Pinnacol project team took an innovative, preventative and positive approach.

“This was a serious issue that threatened our data security, so I understood the gravity of the situation,” said Michelle Barnes, internal communications specialist. “But I also knew that capturing employees’ attention in a world of distractions is a challenge. So, why not have some fun with it?”

With a focus on the business problem, goals and measurable objectives, Barnes pitched the idea of an internal communications campaign to combat the problem in a funny, attention-grabbing way.

With the support of the project’s executive sponsor, Assistant Vice President of Information Technology Brian Lindley, Barnes developed a communications plan with engaging tactics that would deliver on the overall goals of employee education and changed behaviors.

“When it was all said and done, we only spent $6,000 on communications materials for the campaign, much less than the costs — reputational and otherwise — of a customer data breach,” said Barnes.

Here fishy, fishy

The campaign included tactics to increase employees’ awareness of phishing and the dangers it poses — including a specialized graphic and tagline: “Don’t take the bait. Recognize and report phishing attacks.”

Other tactics included an intranet page with a humorous video, a computer monitor card to keep phishing top-of-mind, posters and a lobby launch event. Employees took a required online training class and completed a short quiz.

Additionally, a “Phish Alert” button was added to employees’ Microsoft Outlook toolbar, enabling them to quickly delete and report potential phishing email (and to delete unwanted spam email).

After the campaign, the cybersecurity team deployed another simulated phishing attack that tested how well employees could recognize and report a threat. Cybersecurity scheduled subsequent quarterly mock phishing emails to further assess the campaign’s impact.

In addition to the light-hearted preventative tactics, Pinnacol’s risk and human resources teams developed and managed a policy for phishing test failures. The policy was shared with employees, and managers were asked to help enforce it with their direct reports.

Reeling in the results

Since the campaign, the quarterly mock phishing attack failure rate has consistently been less than 7.5% (and at best 6.5%), far exceeding the program’s goal of less than 15% of employees failing to report mock attack emails.

Email open rates averaged 92.8%, and 92% of viewers watched the video in its entirety. The lobby event, during which employees could “phish” in a pool for prizes, was also well attended.

“We took the fun route with this campaign, and it worked,” said Barnes. “I am now hyper-aware of suspicious-looking emails — and I don’t open anything I think could be a phishing scam. Our employees have worked to change their behavior. Ultimately, that’s what a good communications campaign should do.”

Megan Martin is senior communications specialist with Pinnacol Assurance, Denver. This column is first appeared in the AASCIF Newsletter and is republished with permission.