×
Menu
Search
 
   
   
   
 
  (c) PCI Pal, 2021

Phishing policy and training

 

Introduction

From time to time, the Information Security & Compliance team will organise simulated phishing attacks on PCI Pal staff.  These are designed to raise staff awareness of the real threat of external phishing attacks, and will be followed up with coaching, training and actions to help staff identify phishes and defend themselves against attacks in the future.
 
 
When a phishing simulation is launched ideally the user should use the ‘Report Phish’ button within Window’s Outlook to identify a phish and therefore pass the simulation.  Alternatively, phishes may be reported via Teams or email to the DPO.
 
In general, clicking on the hyperlink or attachment of a simulated phish, or entering account credentials into the phishing portal, will constitute failing the simulation.
This includes doing so after reporting the phish, or ‘just to see what it did’, or entering false credentials, or forwarding the phish to someone else who clicks/enters account credentials.
 
Where a user proves susceptible to a simulated phishing attack, certain remediation steps will be taken.  Each time, the user must retake the Security Awareness training with the LMS within 1 week, which may be extended to 2 weeks at their line manager’s discretion.  For each time the user responds to a phishing simulation over a rolling 6-month period;
 
1st time - DPO to discuss the specific phish with user and review what occurred
2nd time - CISO and/or People team to discuss with user and see if any broader solutions may be applicable e.g. specific/individual training, changes to existing processes
3rd time and beyond - User’s line manager informed and asked to have a conversation with user e.g. the specific phish, user’s workload at time of phish, any struggles or additional needs
 
e.g. – A user clicked on two phishes previously in January and June.
It is now October and they have just clicked on another phish.
As January is now more than 6 months ago, this would be their 2nd instance of responding to a phish in the past 6 months, and so the response would involve a discussion with the CISO.
 
The ISC team is not interested in “Naming and Shaming”, but rather in ensuring staff are secure and aware online.  If you feel you would benefit from a one-to-one to review phishing threats and how to protect yourself, please do reach out to any member of the ISC team at any time.
 

Discussion Guidance for Phishing Susceptibility

When discussing a phish with a colleague that responded to the phish, it is important that this is not phrased or considered as a failure.  Phishing attacks are designed to take advantage of a person's blind spots and our general drive to act, help, and get work done.
 
Listed below are some topics to help both the line manager and individual reflect upon the circumstances that led them to respond to a phish, and identify steps that could be taken to reduce the risk in future.  In addition, the InfoSec team can provide with a safe copy of the phish and, if a simulation, of any relevant statistics.
 
Note the time when the phish was sent, when it was read by them, and note when they respond to the phish:
 
 
 
The online help was made with Dr.Explain