With security awareness programs utilized within organizations to bring awareness of the various security threats to our users, it’s essential to consider that social engineering is the number one way cybercriminals get in. For this, it’s best to implement a phishing simulation program to provide training and awareness for your users to spot a phishing email and allow them to report it. While teaching your users to spot fake phishing emails, this program teaches them what to look for within their emails.
- Total time: Depending on your program, it can take up to a year to reduce the phishing prone percentage, where users fall victim to a simulated or real phishing email.
- Estimated cost: Check with KnowBe4 for more information
- Tools used: Phishing Simulation Software as a Service, like from KnowBe4
Step 1: Create a Baseline
Conduct your baseline phishing simulation to get an idea of where your organization stands compared to others in your industry or size of organization.
Step 2: Share the “Why”
After that, let your users know about what you are doing. Make sure that your users are aware of the phishing simulation plan. Of course, after this you have to provide them security awareness training.
Step 3: Communicate
Make sure they know why the phishing program is going on and include it in your onboarding of any new staff as well as briefing existing employees. Do not cut them off in communications to the InfoSec or IT teams when they discover a phishing email, legitimate or not. Ensure they have some form of communication method back to you, like a phishing alert button.
Step 4: Recognize your corporate culture
Consider your organization’s culture when determining the need to use financial incentives in a phishing simulation email. While this may get easy clicks, there have been negative repercussions and you will need to be sensitive to your employees. In the middle of layoff, it may be viewed as cruel. Use caution and sensitivity when launching such a campaign. More importantly, explain to your users how they would receive updates regarding salary updates or changes with their salary and whether the organization would use those financial incentive phishing emails.
Step 5: It’s a teaching moment
Finally, remind your users that phishing simulation emails are a training tool and exercise, not a “gotcha” exercise. It is essential to educate your users and avoid making them think this is a way you are going to trick them into falling for a phishing attack. Make sure that your users know this is to educate them and help them spot the real phishing emails in their inboxes so they stay safe at the office but also keep their family safe at home.
8 Spice ups
![\"146ff779ffbdbbc27c679b07b18b172dc5b72de477eab65c95e75cdf65bbecdd_Baseline.png\"](\"https://us1.discourse-cdn.com/spiceworks/original/4X/d/9/1/d91cc45fa194039d8262f53cd5ab1830ae5d46d8.png\")
<\/p>\n
![\"f53847767030920af5d8a4758e814c761e9238041032b63dea42e80ee9186e7d_Why.jpg\"](\"https://us1.discourse-cdn.com/spiceworks/optimized/4X/8/5/1/851b0a835103faa63185067f2964912d5112e7d4_2_617x500.jpeg\")