How Freshworks’ phishing expedition is paying off
The cybersecurity team devised a set of innovative strategies to bolster the company’s defenses and involve everyone in participating
As AI advances, so do cybercriminals' skills at targeting weak spots in corporate systems. Companies lost a whopping $4.45 million per breach in 2023, according to IBM, much of it due to employee error.
To counter that, training workers to constantly identify and report suspicious emails is a primary line of defense. But every employee needs to participate, says Ramya Subramanian, director of governance, risk, and compliance at Freshworks.
“Hackers love to target humans,” she says. “If a company’s employee clicks a phishing email or shares their password, it can compromise the entire system's security and lead to a data breach. Educating employees to recognize and respond to threats turns them from vulnerabilities into our first line of defense.” Ramya is part of Chief Information Security Officer Jason Loomis’ cybersecurity team. With phishing attacks on the rise across all industries, in 2023 Loomis launched a campaign to focus efforts at Freshworks and encourage proactive reporting by employees. A key element of the program launched this April: hijacking the lock screens of more than 5,000 employees with new messaging, information, and tools to solicit mass participation.
It can feel intrusive when your lock screen displays content you didn't choose. But you know what's more invasive? Getting hacked.
Sreevatsan Thandalam
Audit and Assurance Manager
“Most companies treat cybersecurity like it’s just the cybersecurity team’s problem. Our goal is to drive home the message that cybersecurity is every employee’s responsibility,” Ramya says.
To make good on that mission, Ramya’s India-based team of 18 devised a set of innovative strategies, including the following:
1. Training reboot
Step one was increasing training content. Navapriya Mohankumar, a risk and compliance manager, led the effort to create more engaging content on critical topics such as using strong passwords and multi-factor authentication.
“We’re hitting employees with everything!” says Vaishnavi Padmanaban, senior cybersecurity advisor on the team. “We send out monthly newsletters about the latest cybersecurity threats, create videos, and update all our messaging, including lock screens, based on the month's learning module.”
2. Always-on reporting
Providing employees an easy, omnipresent tool to report suspicious emails was critical. The team added a Phish Alert Button to employees’ Gmail menus so workers can easily report any suspicious email to the cybersecurity team.
Read also: Key strategies to reduce risk with generative AI
3. Mock phishing emails
Another key element of the plan involved testing employees’ awareness with fake-phishing emails appearing to be sent from sites like Instagram, Amazon, and Zelle.
Now, when employees click into a mock phishing email, they are taken to a landing page with additional training on how to spot future phishing attempts. If they fall for more emails, they are assigned mandatory awareness training.
4. Lock-screen takeover
Lastly, to pull off an effective lock-screen takeover, the team enlisted lead designer Banu Priya to create the lock-screen visuals—a kind of billboard for ongoing security messaging. The lock-screen content pushed employees to “Be a Hero” and use the Phish Alert Button to report suspicious emails.
Putting it to the test
Ajay Kumar, lead software engineer from the Freshworks Neo Platforms team, recalls falling for a fake phishing email.
“I had just started with Freshworks,” he says. “The email was about updating my personal information for billing, so I didn’t think twice about the sender.”
After clicking on the link, Kumar wound up having to complete a brief training, which he found helpful.
“I learned to stay on guard against phishing emails and use the Phish Alert Button,” he says.
Later, the lock screens of every employee using Windows laptops lit up with the new messaging. While some employees grumbled, others said it made reporting easier.
But the strategy is paying off, to the delight of the team.
The phishing awareness campaign “showed a significant improvement,” says risk and compliance advisor Uthra Krishnamurthy, and the company has already reduced its vulnerability to phishing attacks.
There’s a noticeable change in mindsets, too. As Siddharth Kandoth, lead visual designer, says, "I was initially skeptical because I really liked my previous lock screen, but reporting suspicious emails has become so easy in the last few months. I realized I'd rather see an annoying lock screen than deal with a full-blown hack."