Testing your employees is the first crucial step in a proactive approach to securing your systems.
- Company-wide buy-in: The first step to eliminating a problem is to know that it exists. No phishing awareness program will get anywhere if there are elements of your organization that aren’t on board, and this starts with management and senior leadership. They need to be aware that phishing is a real threat to the company, regardless of their team’s function within the organization.
- Initial training: Give your employees the knowledge and tools they need to identify and report phishing attacks. These training sessions are short and can be done for specific groups and teams within your organization. The concepts of phishing awareness are not complicated and should be taught to anyone that has email access.
But more importantly, the goal of awareness is to reinforce the idea that they are a critical part of data security and it is a shared responsibility. The training introduces employees to the concept that there are hackers out there that will use them as a way to access your networks, that these hackers are a smart and determined enemy, but with a little training, they can confidently serve as the front line to securing your systems.
The final part of awareness training is to inform them that their knowledge and ability to recognize phishing will be tested over the next few months or years.
Frequent testing – The best awareness programs have to toe a fine line. Too many test emails are overkill, even disruptive; too few will fail to give a practical assessment. The goal is to plan testing as a campaign, one that is progressive in terms of difficulty. Initial emails should be easy to identify, but after that, different levels of subtlety will provide a true test. Later, emails should include social engineering tactics and spear phishing emails. Test emails should consist of management and c-level employees.
Have a plan for monitoring and reporting – While it is never a good idea to call out individual employees or a group publicly for failing phishing awareness, results should be shared with the organization. Reward high-performers and provide additional training for low performers.
Reinforce training – As with any cybersecurity threat, phishing attacks evolve over time, which means training needs to be revisited. When you find individuals or groups having trouble grasping the concepts, additional training will reinforce what they have learned