Over 10 years ago, live phishing tests emerged as a new innovation in security awareness. IT Security managers would have their team send out fake phishing emails to all staff; to test for vulnerabilities and provide a “teachable moment”.
What was once considered an “interesting, but scary” prospect for security managers to take to their managers has turned into a regular practice. Some managers love them, and some hate them. The reality is that most managers now believe that live phishing tests are an apparent requirement for many cyber insurance programs and security certification audits. It’s become so common that many organizations tend to overuse this tool, which leads to getting lower value than they expect, including unexpected costs and delays in programs, unreliable metrics from poorly designed implementation, and undesirable employee backlash.
Employees continue to fail live phishing tests, for various legitimate and questionable reasons, despite being put through awareness training that takes time for employees to complete.
Photo by Nguyen Dang Hoang Nhu on Unsplash
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Well, now what? Many companies will require employees to retake the training or even worse send out more phishing tests until they get the percentage they want, but that’s a dangerous strategy. The numbers are so subjective to variables, that it is a very low assurance metric, which means that people are being put through more training, and more costly phishing tests are being administered; often for the wrong reasons.
Regardless, when you notice employees failing your live phishing tests, or failing training assessment thresholds, there are a few things you can do that will improve their proficiency at spotting phishing emails…
As mentioned before, a lot of organizations will send employees who fail their tests back into the same training program. Consider this: If someone couldn’t do a math problem, would you keep repeating the same lessons until they could? Or would you try and teach them a different way, in which they could personally understand?
If you are using the same training for every person in your organization, it’s likely that not everyone will understand or be able to utilize it in the same way. When the initial training is not effective, a more interactive and targeted approach is more likely to engage employees to learn the basic concepts.
Consider offering focused training sessions that address the specific types of phishing attacks that your employees fall for. If your employees are only falling for one type of email, it doesn’t make sense for them to go through the whole security training again. Instead, create a shorter course that is engaging and allows them to learn the exact skill they need.
After an employee has failed a phishing test, it may be tempting to send them more tests until they ‘get it right.’ However, overwhelming employees with too many tests can backfire and lead to frustration, which could discourage them from engaging in training or opening emails altogether. It’s also likely that employees will start to “spot the test by its subject line” rather than improve their skills at spotting clues within the messages. This can skew statistics and cause a false sense of security among managers.
For many employees who get caught by deceptive phishing tests, as humans, they get an adrenaline surge, which actually impairs their ability to stop and think rationally. It isn’t until they learn to confidently analyze potential threats that they can be expected to objectively spot well-crafted phishing emails.
Before you send out the next round of tests, pause, and see what it is that is tricking your employees. Look at the data or talk to them personally (depending on the size of your organization), to see what they think their weakness is, and show them the kinds of tricks used by attackers to trigger their emotions.
It’s important to allow them to learn from their mistakes by practicing in a safe, interactive environment before sending out more tests on the same subject, so it doesn’t feel like an adversarial “See, you suck!” moment.
You may also want to take into consideration the number of emails the employee has clicked on or opened. If it’s only one out of ten, it might not be a big enough reason to send them back into training or to send them more emails. Again, interactive tests can allow them to practice analyzing many more emails, in a safe and cost-effective way, than live phishing tests can.
If certain employees or departments continuously fail phishing tests, it may be an indicator that additional training is needed for that group. Or it may be a technical issue that is not related to the employee’s abilities at all.
Consider:
Identify potential patterns, and figure out what is causing the group to perform poorly. Here are some potential causes:
Review your training programs to determine if any of these gaps need to be filled. Then, tailor the program to create a solution for the underperforming group.
Click Armor is launching a new feature: Customized Training Groups. You will be able to create customized groups based on the parameters you want: department, remediation, level of security risk, or whatever you choose. Then you can select the exact topic you need them to be trained on, and when. Be the first to try the new feature.
It is essential to communicate the importance of cybersecurity to your employees. However, when an employee fails a phishing test, it is also important to not be too draconian in disciplining them. Some companies have created public postings of employee names or created punishments for those who click on a link. This can be very harmful to your security culture. The result is that, instead of trusting the security team to help them when they suspect something is suspicious, they’ll be scared to take any action.
Instead, inform the employee privately of their pattern of failure and open the conversation to offer help, and see what their thoughts were behind clicking the link. Use the opportunity to educate and provide additional training to those who need it. By creating a safe and nurturing environment from which employees can learn, you’ll have a more positive security culture, making it easier for employees to be engaged in your training.
Should an employee who clicked on one link after 10 tests be in the same re-training program as an employee who clicked on 5 of them?
Definitely not. Before implementing your remediation program, ensure that you create guidelines for the number of times an employee can fail a phishing test before additional actions are needed. The program criteria need to be clearly defined and published, so that employees don’t feel they are being unfairly targeted for remedial training.
Consider monitoring how the tests are taken and create guidelines for when a response protocol will be implemented if an employee fails a test multiple times. It’s important to communicate these guidelines to your employees so they understand the expectations and consequences of falling for a phishing attack. Make sure it doesn’t come off as a threat, but rather a reassurance that no matter what, they will learn how to successfully protect their business from attackers rather than be unfairly punished or be left vulnerable to clicking more links.
Preventing phishing attacks requires a coordinated effort from all employees. After an employee fails a phishing test, take the opportunity to provide additional, interactive training and support that matches their situation, rather than creating a culture of enforcement and fear.
Use this as a learning opportunity to identify patterns and areas where additional training is needed. Incorporate various types of foundational training before implementing live phishing testing. And when you do use live tests, start with less deceptive scenarios to keep employees from feeling targeted.
By implementing these best practices, you can help create a more secure and confident workforce, ready to identify and thwart a phishing attack.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.