Reported phishing emails are useful for plenty of reasons.
Let’s be honest, employees make mistakes. And sometimes those mistakes have catastrophic consequences.
Topics: security awareness training
So here it is… the first one you’ve received. Everything has been building up to this.
You spent days preparing the business case, weeks designing the training program… and it’s finally paid off.
The first user-reported phishing email has hit your inbox.
It should not be a surprise, but 95 percent of breaches come through phishing attacks. Nothing more than a simple lure email lands in one of your users inboxes, they click it, and everything unravels from there.
Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.
Executive boards are used to basic training programs with boring annual sessions, and (let’s be honest) minimal results… with correspondingly tiny budget approvals. So when they finally do agree to a more in-depth program, there’s a tendency to expect results overnight.
The trouble is, training users to spot and report phishing emails isn’t an overnight fix. And trying to realize dramatic results in a short timescale is a surefire way to hamstring your program.
Frustrating, isn’t it?
You design a powerful anti-phishing program, secure funding from your executive board, provide world-class training. You do everything right…
Oh, your users are probably spotting phishing emails. After all, they’ve engaged with the training, and seem to be taking it seriously.
But no matter how many times you remind them, they just won’t report those phishing emails.
In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
Training users to identify and report phishing emails is far from an overnight fix.
It takes time, persistence, and engagement to make a meaningful impact on user email behaviors.
But you already knew that, didn’t you? In fact, you probably already have a program in place to help users identify potentially malicious emails.
If you’ve been following our blog for a while, you’ll already be aware of our stance on anti-phishing training.
Experience has taught us that the only way to reliably improve a user’s ability to spot and report phishing emails is to test them in the real world. To put it another way, they need to see realistic phishing emails in their inbox on a regular basis… and you need to put them there.
It’s tempting (oh so tempting…) to treat this as a gotcha exercise.