You’ve run training seminars for several years that set aside ample time to talk about malware and all the ways it might infiltrate your systems. Running a phishing simulation to test your employees’ awareness and how quickly your security team responds can seem like a good idea, but many of these plans go awry. Here are some steps you can take to make a phishing simulation more effective:
Focus on short and sweet: When you’re running any kind of training session, the mindset may seem to be, “As long as we’ve got everyone in one place…” and cover every angle of corporate policy related to cyber security. Instead, keep training about phishing short and focus only on that topic. As for corporate policy, it’s a good idea to focus on practical steps your employees can take if they receive a phishing email, rather than putting a lot of emphasis on your corporate policy.
Make it mobile: If you’re using interactive training modules as a standalone or as a way to prep or review for an in-person training seminar, make sure that module is mobile-friendly. It’s a relatively quick, easy improvement, but will make a big difference in your level of engagement from employees.
Focus on more than email: Attacks can come from a variety of formats, so make sure your training helps employees recognize social media phishing or even phishing that comes through a phone call.
Create a range of phishing simulation exercises: Don’t assume your staff won’t fall for the most obvious types of phishing emails. Test them with everything, from an ousted foreign prince asking for money to lookalike emails from Wal-Mart that are convincingly similar to the real thing.
Measure the behaviors: The problem with many training programs and phishing simulations is that they don’t actually change behaviors. You need to establish goals for your phishing simulation and then identify how you’ll measure whether those goals have been met.
Once you have a baseline, you can begin trying to improve on the results. Even if your employees become well-versed at recognizing a phishing email, there’s also your security team to keep in mind. How can they efficiently process phishing concerns, particularly if awareness becomes so intensified that nobody is willing to open an email until it is vetted by IT? It’s important to automate these processes when possible and encourage employees to learn the ways to recognize a phishing email.
If you’re interested in running a phishing simulation for your employees, contact us at eXemplify. We can help you identify the right tools to make phishing prevention and training more effective for your organization.