Information Security Awareness Protectives Awareness Program New employee

Information Security Awareness

Protective’s Awareness Program ● New employee LMS training and Annual employee LMS training ● Quarterly lunch and learn webinars for all (includes road shows) ● Posters & Swag ● Awareness page on company intranet site ● National Security Institute’s monthly SECURITYsense “Information security awareness for every employee” ● SANS Technology Institute’s monthly OUCH! “A Security Awareness Newsletter for Everyone” ● Semi-monthly browser-based news and quizzes on the latest security awareness topics ● Phishing simulations ● Phishing tournament Information Security "Promoting Security Through Awareness"

Phishing Program ● Forward suspicious emails to phishing@protective. com ● Cofense Phish. Me Simulator ● Some emails are Phish. Me Simulator and some are “build your own” ● All three types of phishing emails are used (attachment, click, data entry) ● Four different phishing scenarios per campaign ● Program started with quarterly phishes in 2015 ● Today, every employee and contingent worker with a company email address receives one phishing scenario monthly ● 2019, every employee phished once per month and a spear phish to a targeted group once per month ● Total mailbox recipient count was 2, 800 in 2015 and is currently over 3, 400 (20+% increase) ● Program started with easier “toss ‘em a bone” type emails, then progressively got more difficult as the program matured Information Security "Promoting Security Through Awareness"

500 Oct-15 Information Security "Promoting Security Through Awareness" 658 1, 420 Oct-18 Sep-18 1, 679 1, 964 n ig Aug-18 m Ca pa 2, 255 9 2, 075 5. 6% Jul-18 p 2, 088 m Jun-18 n g ai May-18 Emails Forwarded to Phishing Inbox 3, 426 Ca 2, 268 8 Apr-18 2, 834 3. 5% Mar-18 2, 025 1, 515 Jan-18 m Feb-18 n ig pa 1, 568 7 Dec-17 Ca 2, 156 5. 0% Nov-17 m Oct-17 2, 124 Sep-17 n ig pa 2, 118 3, 500 1, 936 6 Jul-17 9. 0% Aug-17 Ca 2, 660 m Jun-17 3, 000 2, 160 Ca May-17 n ig pa Apr-17 5 1, 562 1, 886 Feb-17 7. 0% Mar-17 1, 881 m Jan-17 1, 717 Dec-16 Ca 1, 766 n ig pa Nov-16 4 Oct-16 1, 306 3. 0% 1, 276 p Sep-16 1, 434 m Aug-16 Ca gn ai 1, 126 3 Jul-16 898 10. 1% Jun-16 2, 000 1, 495 p Apr-16 m n May-16 2, 500 1, 714 Ca g ai 1, 212 p 2 Mar-16 11. 0% 935 m Jan-16 11. 0% Feb-16 1, 500 830 Ca n 608 p g ai Dec-15 1 441 359 333 Sep-15 11. 6% Nov-15 441 0 Aug-15 1, 000 346 160 m Jul-15 Ca 5 n g ai Jun-15 May-15 Phishing Campaign Results 05/2015 – 10/2018 Click Count % of Total Phishing Emails Sent 8. 9% 7. 3% 5. 9% 1. 6% 3. 3% 1. 0% 10

Phishing Emails & Hooked Rates Phishing Scenario Title File from scanner Package delivery notice Breaking News Funny cat pictures Traffic citation notice Mailbox exceeds authorized limit Unauthorized internet access Background check was run on you Facebook timeline posting Important notice: W-2 Form Time off request (negative PTO balance) Order confirmation Employee raffle Digital fax attachment Pokemon Go - company policy Unpaid invoice Password survey e. Card alert Suspicious bank account activity Notice from board of accountancy Jury duty final notice Blank message Customer feedback survey i. Pad order Information Security "Promoting Security Through Awareness" Year 2015 2015 2016 2016 2016 2017 2017 % Hooked 19. 5 19. 7 4. 2 2. 8 10. 6 6. 4 6. 5 4. 2 1. 1 6. 1 36. 8 8. 7 21. 2 8. 8 6. 3 1. 7 2. 0 11. 0 2. 3 3. 1 0. 7 0. 5 1. 8 1. 4

Phishing Emails & Hooked Rates Phishing Scenario Title Year % Hooked Computer refresh program 2017 15. 3 Attached resume 2017 3. 8 Failed print job 2017 6. 3 Download and sign 2017 2. 0 Unauthorized internet access 2017 3. 2 Compromised applications on your desktop Inactive email account 2017 2018 5. 0 6. 3 Your order has been shipped 2018 6. 2 Food truck coupon 2018 0. 5 “Equafax” 2018 0. 9 Somone has your password 2018 1. 7 Employee raffle 2018 8. 5 Pay. Pa. I order tracking 2018 2. 5 Final version of the report 2018 0. 7 Forgot attachment (2 part phish) 2018 7. 2 New voicemail attached 2018 11. 7 Verify your email address 2018 1. 0 Recruitment plan attached 2018 3. 7 CONFIDENTIAL - Please don’t leak Failed email delivery notice 2018 *1. 5 *8. 1 Office gambling policy 2018 *17. 0 I hit your car 2018 *4. 9 Information Security "Promoting Security Through Awareness"

There’s always someone to train! Information Security "Promoting Security Through Awareness"

Questions? Information Security "Promoting Security Through Awareness"