Phishing awareness training is an essential security function. But while it may seem straightforward, training employees to spot phishing attacks is no simple task. Done poorly, phishing awareness training can be counterproductive and leave your organization more vulnerable instead of more secure. Here are 5 common pitfalls to avoid when training your users to spot and report phishing attacks.
- Infrequent testing. Spotting phishing attacks is a skill that needs constant sharpening and reminders to stay vigilant. Testing once or twice a year might check the box for an auditor, but it’s not enough. Maintaining an ongoing process so users remain vigilant in their email traffic decisions, not just a one-off experiment, is imperative.
- Click rate sandbagging. Click rate the only measure of success? Great! Just make the phishing simulations easy to spot and call it a day. Who cares if the real-world attacks are more complex and sophisticated? If your click rate is consistently close to zero, it says more about the difficulty of your simulations (or lack thereof) than the vigilance of your employees.
Sharpen your organization's human defenses against phishing threats with a security awareness training program. The Security Awareness Training Buyer's Guide identifies the key areas every SAT program should address.
- Not finishing the drill. Training employees to spot phishing attacks is only part of the equation. What happens when employees report suspicious email. If those reports are sitting in a helpdesk queue, they aren’t doing you any good. There’s probably a legit attack in those reports, and it’s likely that someone else fell for it. Would you rather find out about that now? Or wait until it becomes a much bigger security incident? Have a process in place to collect reported phishing emails, analyze them, and mitigate threats.
- “Best guess” phishing simulations. Sure, cybercriminals might use that major news headline in a phishing attack. But what’s the real probability that it will really be used to target your employees? You can’t train an employee to be sharp against every conceivable phishing ploy, so it’s important to focus your efforts on those that present the most risk. The ideal phishing awareness training program simulates the techniques most likely to be used by your adversaries.
- Lame training videos. People have high expectations when it comes to video content these days, and the quality of the training videos you pair with phishing simulations says a lot to employees about how serious this really is. Videos that are childish, or videos that blatantly attempt to stoke people’s fears, can be detrimental and reflect poorly on the company’s security team. Remember, it’s the video that delivers the training when an employee fails a simulated phish. If it isn’t effective, the rest doesn’t matter. So don’t skimp on training videos!
Want more information about phishing awareness training? Check out our How to Turn Your Employees into Security MVPs webcast.