Overcoming significant challenges in multinational phishing simulations

(Image credit: Image source: Shutterstock/wk1003mike)

At CybeReady, most of our customers are multinational companies employing people worldwide and have a broad span of control when it comes to security. These customers often encounter resource limitations related to reaching out to their distributed employees. Such limitations take the form of fewer face-to-face meetings, less customised content, and a lack of familiarity with other cultures and their phishing risks.

We find that there is almost a direct correlation between the distance from a company’s headquarters and compliance with internal operating procedures. This isn’t new, of course.

Knowledge transfer is a widely recognised problem in the world of knowledge management.

When designing phishing simulations for multinational companies, there are numerous pitfalls to avoid and considerations to be made. Here, we will discuss first the pitfalls and then outline the options lying ahead of you when operating such a program.

Content creation

It's the first day of the simulation, and already you have two responses from senior managers abroad. What a great way to start! You dive into the first email. It's from a colleague in the Russian branch asking you if you've coded the landing pages yourself. You look at the attached screenshot, and you're in shock. It's not what you created. Apparently, the Russian translation is much longer than English. The outcome: misplaced header borders, giving the page an amateur look.

With some apprehension, you proceed to the next email from a colleague in Israel asking you why all the training content addresses men only, when the local workforce is 56 per cent women. You're taken aback. You? Discriminating on gender? How were you to know that there are languages that are gendered by default?

When writing training content, there are a few critical guidelines to follow:

1. The content should be eloquent; it should be free of grammatical errors and use an appropriately professional tone.

  • The recipient should find the content clear and to the point, regardless of their education level or reading habits. Language used should not be too 'high,' nor too 'low'.
  • The content should be as personalised as possible. Personal messages are more memorable and have more impact on recipients.
  • The positioning of the text within the designed page should be proportional and aesthetic according to best practices.

2. In gendered languages where the male or female form involve different words, every effort should be taken so that content does not discriminate based on gender.

Following these guidelines is admittedly difficult; adapting them to different languages is another challenge altogether. Let’s consider eloquence, for example. Most translators know that translation is a compromise between adhering to meaning and adhering to style. In most cases, achieving both is nearly impossible. Keeping translated material both personal and non-discriminatory while translating text into different languages also requires significant skill. Even design presents challenges: the characters of some Asian languages take up only a third of the space required for some European languages, for instance, so that placeholders that fit certain Asian languages perfectly might seem overcrowded in the case of European languages.

Working hours and holidays You've been reviewing the results of your latest multinational phishing campaign. The results show actual improvement, especially across some European countries. Two months later, you see an unexplainable increase in individuals falling prey to phishing activity within those specific countries that had shown the greatest improvement. Baffled, you call an overseas colleague, only to learn that your earlier campaign landed in employees' inboxes during their vacation. As a result, click rates plummeted.

It's safe to assume that there are working days and non-working days in every country. Although hackers aren’t known for caring much about employee well-being, it is of primary concern to you when engaging your employees in security training. In some cultures, for example, it may be common practice to send employees email over the weekend or on holidays, whereas in other countries, this might seem offensive. Every good training program has to factor in such elements. Remember: you can only control the training, not the learning. For learning to occur, employees have to be in the right mood—and in some cultures receiving an email at 10 p.m. will not result in a good learning experience, whereas in others it would be totally acceptable.

Localisation

One of our favourite phishing simulations involves offering a free coffee in our totally fake coffee chain. Employees often do need a shot of coffee and there's nothing like some delicious free java to bait them into clicking a link. But how do you localise such a simulation to countries in which coffee chains are non-existent, or perhaps, where coffee pales in comparison to tea? Similarly, if you reference the US elections in a phishing simulation, it won’t have the same effect in your US branch as well as in your Polish branch.

Beyond this, how do you translate brands: globally, or locally? Should you use a local language transcript? Is it better to use the translation or keep the brand's name in its native tongue? Each of these parameters impact simulations’ effectiveness, as well as their respective training content. But localisation goes beyond just phishing simulations. Issues such as content design might require much more delicate handling. Is your punchline offering too much of a punch? Are you subtle enough? Or are you too subtle? Some cultural elements involve the local context, and some, the corporate context.

Design

Here’s another scenario for you. Let’s say that before launching your first phishing campaign on employees of your company’s two largest offices—in Beijing and in Johannesburg, respectively —you asked a colleague for advice.

That was a close call. The bold red banner you planned to use in China won’t go over very well in South Africa, where red is a colour of mourning.

How you incorporate colour into the layout of your design, and the deliberate placement of key elements in your layout such as a call-to-action, headline or salutation all factor into the success of a simulation. Colour theory references offer some perspective into emotional connections to colours from a western perspective; however, you’d be wise to consider that colours in different cultures are interpreted differently.

Email and website heat map tools provide a visual representation of how readers experience your digital content. These use sophisticated software that track a user’s cursor and display corresponding “hot spots,” which are spots where the reader spends time and clicks, and “cold spots,” where the reader ignores.

Tips to avoid challenges in your global phishing simulations

Now that we've outlined the possible pitfalls and considerations, here are rules to make your life easier:

  • One size fits all: Are you shipping the same training content to all of your satellite offices all over the world? You might save time upfront, but it’ll lead to huge headaches later on.
  • Content design: Use wide content placeholders; shorter content looks fine in a single row, whereas longer content becomes unwieldy if the placeholder's height exceeds its width.
  • Content translation: Work with high-end translators and create a style guide that reflects your expectations. When developing content for a new language, always ask a local representative to review it to be sure you haven't missed anything.
  •  Localisation: Do you conduct in-depth research, make sure you use local names and currencies and references to relevant events when localising your simulations?
  • Video design: Imagine your videos with short and long texts. Make sure that the majority of the text is located in parts of the video that allow flexibility (that would usually be in the upper or lower ‘third’ of the video).
  • Working hours and holidays: Always consult human resources on appropriate timing.

It’s a smart move to consult them as part of a multinational enterprise, but it's especially important to make sure you have the HR policy accessible when planning your phishing simulations.

Omer Taran, Co-Founder and CTO, CybeReady