Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.
Executive boards are used to basic training programs with boring annual sessions, and (let’s be honest) minimal results… with correspondingly tiny budget approvals. So when they finally do agree to a more in-depth program, there’s a tendency to expect results overnight.
The trouble is, training users to spot and report phishing emails isn’t an overnight fix. And trying to realize dramatic results in a short timescale is a surefire way to hamstring your program.
The 'Throw Everything at the Wall and See What Sticks' Approach
One of the biggest mistakes enterprises make when trying to combat the threat of phishing is to immediately buy a training platform without having an underlying strategy in place.
Does that seem odd? Of course it does, and here’s why: Most enterprises think they have a strategy… but they really don’t. You see…
Buying a training platform and run campaigns is NOT a strategy. It’s barely even a plan.
Nonetheless, enterprises do it all the time. They recognize the threat posed by phishing, they understand they need to do something about it… and then they fall into the age-old trap of thinking they can simply buy their way out of the problem.
And what happens? They see some results in the first few months, and they figure their plan is working.
That is, of course, until they hit…
The Plateau of Complacency
This is something we see all the time, and it’s a very easy trap to fall into.
When an anti-phishing program is first introduced users are typically engaged, motivated, and eager to learn.
Fast-forward a few months, though, and they can quickly become complacent. Their day-to-day workload starts to eclipse their interest in the program, they stop paying attention to training resources, and they become less alert to the possibility of malicious emails in their inbox.
As a result, the organization’s phishing susceptibility rate, which had dropped rapidly in the early months of the program, hits a plateau. As the months roll by the rate gradually backslides, leading to frustration, more security incidents, and (ultimately) loss of funding.
But it doesn’t have to be this way. All organizations have to do is accept one inalienable truth: Conditioning users to identify and report phishing attacks is not a short-term initiative.
Quite the opposite, in fact. Any program which aims to change user behaviors should automatically be considered a long-term investment, and anti-phishing programs are no exception.
Building a Roadmap
Learning to spot phishing emails isn’t like learning to tie your shoelaces. You can’t simply master one basic skill and expect to never be fooled again. Instead, learning to spot phishing emails requires users to gradually internalize a whole host of lessons and red flags, and that simply doesn’t happen in a short space of time. There will always be short-term wins, but ultimately it's about long-term gains.
So how can you design your program to ensure you don’t fall victim to the plateau of complacency?
The answer is simple… but not easy. You have to develop a roadmap of how your program will evolve over time. Once your users’ newbie gains have run out, you must have a plan in place to develop and continually sharpen your users’ ability to spot real-world phishing attacks.
To that end, here are some of the hallmarks of a well planned anti-phishing program:
- Simulation complexity is increased gradually over time — It’s no use bombarding users with complex phishing simulations right at the start of your program. Most users will have no previous knowledge of phishing, so you’ll need to start right at the beginning. Each month you’ll need to slightly increase the complexity of your simulations, while keeping them in line with the real-world phishing attacks targeting your organization every day. Move to slowly and your users will get bored. Move too fast, and they’ll stand no chance. Either way, the plateau of complacency awaits.
- It builds the right skills at the right time — As we’ve already noted, learning to spot phishing emails isn’t just on skill. At the same time, though, you can’t ask users to pick up lots of skills at the same time. Instead, your simulations and training materials must be designed to introduce new skills (e.g., checking sender details) at the right time, once previous learning points have been fully internalized.
- It doesn’t overwhelm users with simulations — In pursuit of quick results, it’s tempting to send simulations more and more often. Unfortunately, this often has the opposite effect: Users become frustrated and disengage from the learning process.
- Frequency, brevity, and retention are key — If you want your employees reporting any and all suspicious emails you need a programatic approach to security awareness training. Most programs have libraries filled with 100s or 1000s of lessons, many of which are outdated and last 30-60 minutes, but they are also terribly ineffective. For SAT programs, microlearning is key, and introducing them on a regular basis will help employees retain that information. The more your team retains, the lower your risk threshold becomes.
If you can set up your program with these four rules in mind, we can almost guarantee you’ll see sustainable results over the long term.
Building a Cohesive Program
If you’re treating your anti-phishing program as a long-term investment in reducing cyber risk, you’re ahead of the curve. Naturally, though, there are plenty of other things to consider.
To find out more about how to develop and maintain a powerful anti-phishing program, register for our free on-demand webinar: Best Practice for Enterprise Phishing Protection.