Managing Your Organization When it Comes to a Phishing Simulation Program
Once your first ePHISHiency simulation email is delivered, celebrate! You just took a huge step towards making your organization more secure. But the work isn’t done yet. Since the goal is to improve awareness for your team, it is likely you’ll be met with at least a few questions during or after a simulation. Maintaining a constant theme throughout your responses to employees, no matter the source, is paramount to fostering an educated and resilient workforce.
Handling questions and reactions
If you employ dedicated staff for Information Technology, Help Desk, or cybersecurity roles within your organization, they’ll likely see an increase in emails, phone calls, or tickets in response to a phishing simulation. This is a good thing, as engagement and notification are important signs of an organization who is aware of the threats posed by phishing emails.
To ease the burden these teams may face, ensure they are communicating the same message to anyone from your organization that contacts them. Ideally, any question about the legitimacy of the phishing simulation email is answered with the general guidance your organization provides to identify potentially suspicious emails (e.g. “please delete the email” or “forward the email to this email address…”)
Sometimes someone on your team may notify their direct supervisor or manager about suspicious emails and seek guidance from them on how to proceed. In these instances, it is important to ensure managers are properly trained on how to manage these types of cyber threats based on the organization’s guidance. Managers and other leaders should provide a response that is uniform and in line with the organization’s expectations for its team.
There is also the potential that those included in your phishing simulation may show some degree of frustration towards the simulations. In particular, users found to be susceptible to the simulation may feel flustered, embarrassed, or even angry that they “failed” or were “tricked” into clicking a link. It is important in these instances to communicate the training and awareness aspects of the program, and to provide clear guidance on the expectations and outcomes as they relate to your phishing simulations.
Reward Your Top Performers
Don’t be afraid to show some love for those who are knocking the simulations out of the park!
People always respond better to positive feedback rather than negative. A great way to reduce any anxiety associated with phishing simulations is to reward your top performers. It can be as simple as a direct email to let them know how awesome they are, or even entering them into a raffle for a prize based on the number of times they haven’t been susceptible
You can go the extra mile and have different departments or teams compete against each other, where the “winning” group receives a free lunch or happy hour!
Educate Your Low Performers
Determining how to address and educate your low performers will be one of the most important aspects of your program. It is imperative that you are upfront with them on their performance, but still considerate of their feelings and experiences.
When it comes to talking with low performers, the conversation should not be looked at as a punishment, but rather a discussion to help identify why someone has repeatedly been susceptible. From there, the goal should move toward developing an action plan that helps them achieve success.
We can not force people to be more cybersecurity conscious. Instead we should look to empower them with training, knowledge, and experience that elevates their cybersecurity posture.
Another way to manage low performers is to create tiered levels of intervention based on the number of times they have been susceptible. A first-time offender may simply receive an email advising of their susceptibility that includes references to the organizations training or cybersecurity awareness materials. Additional incidents of susceptibility may then escalate to various options that could include discussions with managers or directors, or additional training requirements.
Above all else, be upfront with users about what actions or interventions may arise from repeated failures of simulations. It is about establishing a partnership with the goal of protecting your organization and it’s people!
