Wombat Helps RBS Reduce Phishing Susceptibility, Educate End Users

We are excited to share with you a new case study that illustrates how the Royal Bank of Scotland (RBS) — a leader in global banking and financial services — is using our security awareness training solutions to engage stakeholders and educate employees, ultimately reducing end users' phishing susceptibility by more than 78%.

The Problem

Financial institutions are highly targeted by cybercriminals, something RBS knows all too well. As a large bank with a truly global presence, RBS has experienced steady increases in phishing attacks and dangerous malware entering their systems via email. The bank recognized that its 80,000 email users presented a significant attack surface for criminals — a security challenge compounded by lax cybersecurity behaviors among employees. 

When it came to phishing attacks, employees “really weren’t that bothered — they perceived this to be the bank’s problem,” said Lesley Marjoribanks, Customer Security Manager and Security Awareness Lead at RBS. She said there was a disconnect between IT and users; the attitude of many employees was, “If you haven’t invested enough in your layers of defense and these phishing emails are hitting my inbox, well, that’s your fault.”

RBS needed to instigate a complete cultural overhaul, helping staff to understand that their casual behavior with dangerous emails was causing real damage. “I wanted to estimate what it would take to get from day one of a locker ransomware attack — which have become increasingly common — to a recovered position. I sized the man-hours for the recovery to be more than £250,000 [~$350,000] for a single incident,” said Marjoribanks. “When you start talking in monetary terms, people sit up and start listening.”

The Results

In terms of specific products, Marjoribanks selected our Anti-Phishing Training Suite, which combines customizable ThreatSim® Phishing Simulations, targeted interactive training modules, and robust business intelligence tools, all managed from our purpose-built Security Education Platform. In conjunction with phishing tests, RBS has also used our Email Security, Social Engineering, and URL Training cybersecurity education modules.

RBS had great success with early simulated phishing campaigns, with click rates plummeting from 47% in its initial company-wide test to 22% just two months later. Following that, however, the results seemed to plateau. “We thought, collectively, that we needed people to take some personal responsibility,” said Marjoribanks. That’s when RBS implemented its consequence model for clicking on simulated phishing emails — a step that brought significant additional reduction in click rates. “Now, we hover at around seven, eight, nine percent as a result,” she said.

Overall, RBS has reduced its phishing susceptibility by more than 78%. In terms of ROI, RBS indicated that its program has easily paid for itself by reducing the number of cyberattacks infiltrating the organization. But even with such great results, Marjoribanks feels the organization’s security awareness and training will never be over. She believes simulated phishing assessments must be continuous, saying, “Phishing has to be at the forefront of people’s minds. Even if we get to a point where we have an acceptable click rate, we just have to keep going. It’s just a service that is naturally going to be embedded in our offering.”

For more details about the RBS program, read the full case study on our website.