The cybersecurity department at Harrogate-based logistics firm Speedwell Transport has marked a significant milestone this week, recording its fifth consecutive year in which not a single employee has clicked on the monthly phishing awareness email designed to warn them about the dangers of clicking on suspicious emails.
The achievement, which comes after half a decade of sending increasingly urgent messages with subject lines such as “IMPORTANT: Your Security Matters” and “Action Required: Phishing Alert”, represents what IT Security Manager Graham Pemberton described as “a testament to our rigorous training programme, or possibly its complete and utter failure, depending on how you look at it”.
The team’s monthly phishing simulation emails, carefully crafted to appear as legitimate security warnings, now achieve an impressive 2.3 per cent open rate. This compares favourably to the company’s actual phishing attempts, which maintain a concerning 34 per cent click-through rate, largely from employees who believe they genuinely have won an Amazon voucher or need to verify their password immediately.
“We have successfully trained our workforce to identify the telltale signs of our security communications,” Pemberton explained during a subdued celebration in Meeting Room 3B, attended by four members of his six-person team. “The earnest tone, the generic greeting, the sense that someone is trying very hard to help them. These are now recognized as red flags.”
The cybersecurity team’s breakthrough came in 2019, when they realized that employees had developed what junior analyst Rachel Hartley termed “an almost Pavlovian response” to any email containing the words “cyber hygiene”, “threat landscape”, or “please be vigilant”.
“We tested it last month,” Hartley said. “Sent an email with the subject line ‘Urgent Security Update Required’ from our official IT security address. Four people opened it. Then we sent one from [email protected] saying ‘Click here for bonus information’. Sixty-seven clicks in the first hour.”
The security team has attempted various strategies to combat the problem, including making their legitimate warnings look more suspicious, abandoning formal language in favour of casual threats, and on one occasion simply writing “This is the real one, please, for the love of God, just read this one.” The latter achieved a 1.8 per cent open rate, down from their monthly average.
Speedwell Transport’s HR Director, Martin Cooper, praised the security team’s consistent results whilst simultaneously forwarding three separate phishing emails to his entire department, believing them to be important updates about the company pension scheme.
The IT security team will continue its awareness programme into 2025, having already scheduled twelve monthly emails that approximately 340 employees will immediately delete based solely on the sender’s address.