In recent months we’ve written a lot about security awareness and employee defense training. It’s an involved topic, clearly, and if you’ve taken away anything we hope it will be this:
If you want real, measurable improvements you must test your employees. And when it comes to email security, that means phishing your employees on a regular basis.
In this post, we’ll take a deep dive into a managed employee defense training program, and examine the ins and outs of effective security awareness training. From planning to post-game analysis, here are the best practices for managing your program.
Looking to get started with security awareness training right away? Check out our FREE buyer's guide first.
Start With the End in Mind
Before anything else happens, goals for the program are agreed upon… and it’s not just about reducing failure rates.
Perhaps the most important outcome of employee defense training is the shift in culture that takes place. Over time, your employees must come to accept the simple truth that not all emails are legitimate.
Email has become the backbone of business communication. In many organizations, more information is spread by email than through face-to-face interactions. As a result, employees typically leave their Outlook/Mail/Thunderbird clients running all day long, opening and reading new emails immediately.
So what does this tell us? Most people view email as intrinsically valuable and important.
It’s takes quite a substantial effort, then, to transform that culture into one that views email as potentially harmful. We need employees to consider new emails carefully, and to treat them as dangerous until proven otherwise. Not only that, we need them to believe that potentially harmful emails can and should be reported, and that nothing bad will happen if they’re wrong.
And it doesn’t end there.
It’s important to realize that employee defense training isn’t just about avoiding individual security incidents. When real-world phishing emails find their way into live inboxes, we don’t just want employees to recognize and avoid them… we want the emails reported.
Reported phishing emails serve as an early warning that emails with certain characteristics can and are bypassing technical controls such as advanced spam filters. By analyzing these emails, you’ll have the opportunity to amend and improve your security controls to ensure similar emails are blocked in the future.
In order to ensure all of these goals are achieved, specific metrics will need to be agreed on and monitored to ensure progress is being made. To do this, be sure to track the following statistics:
Failure – The proportion of training emails that employees 'fall for' (click on a malicious link, open a malicious attachment, inadvertently comply with fraud requests, etc.)
Non-failure – The proportion of training emails that employees do not click, open, or report
Reported – The proportion of training emails that are reported
Only once all of this has been discussed and agreed upon can the program actually start.
Finding a Baseline
If you wanted to learn to play the guitar, would you jump right in with Jimi Hendrix or Eric Clapton? Of course not, you’d start with the basics, and work your way up.
The same is true for employee defense training.
When you get started with employee defense training, the first phishing campaign should always be the same, the goal being to identify the organization’s current level of phishing maturity. The campaign will also help you identify any potential whitelisting issues, and ensure that future campaigns reach all intended recipients.
Now, you might be tempted to get right into the hard stuff. Perhaps your employees are above average phishing maturity, and can handle simulations of the latest real-world spear phishing attacks.
Sadly, that’s rarely the case, so the best practice is to start with the baseline campaign. Once completed, you can gradually work up in intensity and complexity until your employees really are where they need to be.
Once a baseline has been established, it’s time to start phishing in earnest.
Typically campaigns will be run monthly, with each employee receiving a single simulated phishing email per campaign. Some managers prefer campaigns to be more or less frequent, but monthly keeps interruptions to normal workflow to a minimum while still ensuring progress.
Every campaign should be developed using up-to-date phishing samples that have been used in the real world. Campaigns should be varied by season, industry, and even job role to ensure they are most effective in preparing employees for real phishing and spear phishing attacks.
As employees become more adept at identifying phishing emails, the sophistication of these campaigns increases. Over time, employees can learn to identify and report even highly complex and targeted spear phishing emails, enhancing your organization’s security and dramatically reducing costs associated with incident response and breaches.
But of course, in order for this to happen, we can’t rely on phishing alone. We need to identify employees who are struggling, and give them the support they need.
Learning From Failure
Of course it’s great when employees successfully identify and report a simulated phishing emails. But what do they really learn?
In reality, increasing your employees’ level of phishing sophistication relies on a certain level of failure. Each time an employee falls for one of our phishing simulations, they should be sent to a customized educational landing page. These pages can use video, infographics, and text to educate employees on the type of phishing attack they’ve just received (fill out this form if you're interested in seeing a sample of our high-impact training).
If, for example, an employee fails to identify a data entry phishing simulation, they’ll be directed to an instructional landing page or video that helps them to deal with similar attacks in the future.
To solidify this learning, any employee who ‘fails’ their monthly phishing simulation should receive a second simulation later in the month. This ‘remediation’ phishing email will be of the same type as the first, but with fresh content. If the employee fails again, they will be directed to a further educational landing page.
Naturally, in the beginning, you’ll see high levels of failure from this sort of program. And that’s OK.
Over time employees learn to recognize phishing emails for what they are, and to identify and report increasingly complex phishing and spear phishing emails. Gradually, instead of being a security concern, your employees will become a valuable source of referred phishing emails that can be used to further tighten your technical controls.
Of course, in a business environment, improvement isn’t enough. You need to be able to evidence improvement, or retaining funding over time could become a challenge.
For this reason, your Employee Defense Training program should include regular reporting cycles. These can be adapted to suit your needs, but typically they look something like this:
- Specifics and rationale of campaigns sent
- Detailed analysis of failure, non-failure, and report rates
- Trend analysis to evidence improvement
- A more robust/detailed report and summary
- Full discussion of results
- Discussion of perceptions vs. results and agreeing goals
- Requests and recommendations
It’s important to note that these reporting cycles shouldn't be a one-way process. There should be a free flow of communication between between the team delivering your employee defense training, and the manager(s) responsible for scrutinizing the program's results.
Getting Started with Employee Defense Training
If you’re interested in getting started with Employee Defense Training, we’d love to help. We’ve worked with organizations from almost any industry you can imagine, from healthcare to social media platforms, career sites, financial institutions to government and educational institutions, and our approach has succeeded time and time again.
For a sample of our high-impact training, to request a complimentary phishing susceptibility assessment, or to arrange a demonstration, click here.