It may seem like a small issue to some. But this is serious.
IT Managers have NO IDEA what may trigger a major personal crisis for employees.
For example, topics such as:
1. Sex
2. Drugs and medications
3. Religious issue
… are very personal to each of us.
If an email involves an issue an individual struggles with privately, they WILL LIKELY click if the trigger hits a sore spot. So, a live phishing test that goes into these grey areas is almost certainly adding a high degree of variability to the resulting data.
Live phishing tests should stay away from sensitive personal issues. But it is very hard to do in an operational environment like live email messages, when the purpose is to teach employees about how attackers may target those emotions.
It’s better to teach employees about these concepts when you can provide context without triggering their actual emotions. This is an area where immersive, virtual inbox phishing simulations are very powerful, and a much more powerful experience.
Photo by Resume Genius on Unsplash
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Awareness training can address these kinds of vulnerabilities in a more inclusive and less “risky” way (from a program point of view).
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
Why live phishing tests suck: Lack of clear guidance
Employees must be given clear, consistent guidance on what to look for, and how to handle suspicious messages.
This may seem obvious, but most organizations are too vague in their guidance to employees, and rarely try to reinforce it.
Unless employees are in externally facing roles, where they receive many external inquiries, they are not often thinking about this.
You need to be constantly reminding employees about what they should look for in sender addresses, link URLs or body content.
Without this guidance, you should expect random fluctuations in their ability to avoid suspicious messages in phishing tests.
Testing people on knowledge they have rarely seen is unfair and unproductive.
You should be using an awareness program that provides ongoing, practical tips and allows them to practice using them to spot threats in a safe environment.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.