Training users to identify and report phishing emails is far from an overnight fix.
It takes time, persistence, and engagement to make a meaningful impact on user email behaviors.
But you already knew that, didn’t you? In fact, you probably already have a program in place to help users identify potentially malicious emails.
If you do have such a program, you likely noticed two things almost as soon as you got started:
- Your users quickly improved their ability to identify phishing emails, but;
- They failed a lot.
But you know what? Failure really isn’t the setback it seems to be.
On the face of things, seeing 80 percent of your users fail a specific simulation might seem discouraging. In reality, though, it’s a huge opportunity.
When it comes to cyber security, making the headlines is rarely a good thing. To make sure it doesn’t happen to your organization, check out our FREE on-demand webinar: The Rise of Spear Phishing & How to Avoid Being the Next Headline.
Remember the Plan
First things first. If you’re going to get anywhere, you need to understand what you’re trying to achieve. In this case, your mission statement is likely something along the lines of:
“To provide users with the skills and tools they need to identify and report at least 90 percent of malicious emails.”
So far so good. After all, nobody can expect to be 100 percent perfect, and a 90 percent detection rate will have a major impact on cyber risk.
But the important thing to note here is that you want users to identify real phishing emails. When it comes to malicious email in the real world, failure really is the enemy.
But when it comes to simulated phishing emails, this no longer holds true. If you create and distribute a phishing simulation that is correctly identified and reported by 100 percent of your users… you really didn’t achieve anything.
Just like they were playing a game of tennis against a vastly inferior opponent, reporting your simulation was little more than a waste of your users’ time. Even worse, if you repeatedly make your simulations too easy your users’ ability to spot them will gradually degrade, putting them at greater risk of being duped by real-world phishing lures.
But there’s more to failure than simply gauging the skill level of your users. In fact, when a user fails one of your simulations, you have a golden opportunity.
Failure: The Ultimate Motivator
Think about the last time you failed at something. It sucked, right? It’s even worse when you fail at something you tried really hard at.
The truth is nobody likes to fail… but it’s important for our development.
Think about it. You can’t get better at a sport without playing stronger opponents, but naturally, that will lead to plenty of losses. Each time you lose you’ll resolve to work harder, practice your skills more frequently, and gradually improve to the point where you can reliably beat those same opponents.
And what do you do then? You seek out even better players, and challenge them.
The fact is, as great as it feels to win, most people are far more motivated by their losses than by their victories. And if you want to really transform your users’ email behaviors, you’ll need to keep this fact firmly in mind.
Each time one of your users fails a simulation, they will naturally be frustrated. Like we said, nobody likes to fail. But even more than that, nobody wants to fail twice.
So help them out. The moment a user fails a simulation, direct them to a detailed, easily digestible training resource that explains exactly how to spot similar phishing emails in future. Short instructional videos work well, but well-written text with accompanying images will also work.
Then, later that same month, send them a second simulation similar to the first, giving them an opportunity to put their learning into practice. No need to send this simulation to all users – Just those who failed at the first attempt.
This approach is known as “point-of-failure” training, and when combined with a follow-up test it consistently works wonders for behavioral change.
Best Practices for Enterprise Phishing Protection
Phishing is the #1 threat facing organizations all over the world, from hospitals and schools to financial institutions, cutting-edge tech companies, and multinational conglomerates. In fact, almost every high profile breach you’ve read about in national headlines over the past decade has included a phishing component.
To find out how your organization can mitigate the risk posed by phishing, register for our FREE on-demand webinar: Best Practices for Enterprise Phishing Protection
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Dane Boyd. Read the original post at: https://info.phishlabs.com/blog/fight-against-phishing