Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is yes, but we have a brand new approach to them.
Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there a better way to conduct simulated phishing tests? AwareGO offers a new and better way to regular phishing simulators, one that will give our clients more information than just “who clicked” and who didn’t. We call it the Human Risk Assessment.
What do phishing simulations do?
In and of themselves, phishing simulations don’t raise awareness or prevent phishing. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulators, however, do give organizations an indication of where they’re at awareness wise, but only when it comes to phishing. However, this knowledge only applies to the kind of phishing that was tested in the simulation.
What the phishing simulation software doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other types of cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work? Would they share their password? AwareGO offers a way to measure phishing resilience as well as all those other risk factors.
The fact is that when you phish your employees with a phishing simulation software you can only test a fraction of the phishing methods that can and will eventually be used to try to scam them. And hackers are constantly creating new ways to phish and scam. All this does is set employees up to fail, which they might resent you for as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company. Instead, offer them a chance to show their skills through a sandbox environment phishing simulation and gain more insight into their way of thinking.
Try the new approach to phishing simulations
It’s understandable that you want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of our jobs. It’s easy to click on the wrong link or attachment as a routine. Here’s where our new approach to phishing simulations comes in.
There are many cyber security firms that offer simulated phishing tests that are designed to test the level of phishing awareness. With the Human Risk Assessment you can go deeper into both knowledge and behavior around phishing emails. This allows you to find out how people recognize phishing emails and if they would report them. In addition you can assess employee knowledge and behavior around physical security, passwords, sensitive data, smart devices, social media sharing and more.
This assessment can work with any type of training you have. Use the results to deliver the right training to the right people. If you are in need of cybersecurity awareness training AwareGO offers high-quality security awareness training content to make your life easier and training more fun.
Get the right cybersecurity benchmark for your organization
Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress beyond just phishing, try the Human Risk Assessment. This will not only show you where your employees stand when it comes to phishing but where they stand on multiple other threat areas. The assessment questions can even be tailor made to fit your organization.
Raise awareness, not hackles
There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations as most organizations have come to recognize them are not mandatory just because they’ve become the norm. A new and better way to assessing and simulating phishing is available. A method that not only treats your employees with respects but gives you more information and insight.
Running any kind of phishing simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for your organization, it‘s important for them personally as well.
If you are going to run a phishing simulation do it with care and purpose and in a way that does not create frustration with employees. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff succeed instead of setting them up to fail.
Building a strong security culture
What you really want is not just a compliance checkmark for your files but a strong security culture that will actually protect your organization. Having a strong security culture within the workplace means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with security standards. They will model good behavior to their peers and go to great lengths to protect their workplace. And they will help each other keep the workplace safe.
This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the organization. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.
Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in training and, less likely to report breaches and data leaks. They are also more likely to quit. Instead, cultivate a no blame – no shame atmosphere where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure employees knows that cyber security is everyone’s business and that all will benefit from it. With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.