8 phishing simulation mistakes and how to avoid them
While phishing attacks seem like a product of the 21st century, the first reported phishing attack actually occurred in the mid-1990s. Pretending to be AOL employees, a group of hackers used instant messaging and email to steal passwords and hijack the accounts of those foolish enough to take the bait.
Almost three decades later, phishers are still at it, using increasingly devious means of tempting unsuspecting users — your employers — to open emails and click on links which immediately puts accounts, systems and data at risk.
To counter these threats and minimize potential risks, many companies have implemented phishing simulations. These simulations involve conducting regular exercises to assess employee skills in recognizing and reporting phishing attacks without falling for them or compromising personal information and system access.
But not all phishing simulations are equally effective. We see common errors made by some organizations which can dilute the success of their mitigation efforts. Here are some typical missteps and how to steer clear of them.
1. Making simulations too difficult
Ensure that your phishing simulations are instructive and have the intended effect of educating and raising awareness. If simulations are deemed too difficult, employees can quickly become frustrated and disenchanted, with a sense of helplessness that may cause them to lose interest in the security messaging you’re trying to enforce. Try to strike the right balance between piquing employee interest and setting the bar too high.
2. Making simulations one size fits all
Employees in different roles, or working in different types of jobs, will have different vulnerabilities. A one-size-fits-all approach won’t be precise enough to ensure that your simulations are relevant and have the desired impact. Customize the training content to adapt to the audience. Make it relevant and make it address the specific vulnerabilities you’re most concerned about.
3. Not requiring everyone — including senior leaders — to participate
Employees are not the only members of the organization that are prone to falling prey to phishing attempts. So is senior management, including the C-suite and board. To exclude their participation can send the wrong message that the company is not fully committed to establishing a strong security culture. Phishing simulation exercises should be required by everyone, and leaders can set a good example by openly sharing instances where they had failed to pass a phishing simulation test.
4. Using the same methods with every simulation
If every simulation is identical, then employees will quickly become complacent. Hacker techniques used to foil security efforts are varied and evolving, never remaining the same; neither should your simulations. Mix it up. Keep participants engaged and alert by varying the types of social engineering ploys and phishing scams.
5. Not providing adequate communication and follow up
Similarly to when organizations run surveys but fail to report results back to employees, conducting phishing simulations without a follow up may stymie the effectiveness of your training exercises. After simulations are conducted, circle back to employees as soon as possible and share results and best practices — and debrief on what didn’t work well.
6. Taking a one-and-done approach
Employees come and go or move into different job roles. Hackers reengineer their tactics in their quest to manipulate users, infiltrate systems and access proprietary data for exfiltration. A single phishing simulation done annually will most likely not meet cybersecurity expectations or compliance standards. Ongoing training that is run monthly or quarterly, informed by lessons learned from past exercises and input from employees, better guarantee these simulations will have lasting, positive effects.
7. Being punitive
Phishing simulations are designed to educate and inform. You and your employees will learn from what goes well — and what doesn’t. Some individuals will fail these simulations, presenting an opportunity to gain experience and provide a teachable moment. Taking an approach that is too punitive will result in employees being hesitant to participate or not willing to debrief and share experiences. Create an environment where users feel motivated and empowered, not admonished.
8. Lack of measurement
Understanding security awareness requires ongoing measurement to track successes and trends. Track and trend metrics like phishing email click rates, phish-prone percentage, reporting rates, and the frequency of security threats to drive ongoing improvement.
Done well, phishing simulations can both raise awareness and minimize risk. Done poorly, they can erode trust in your education and cybersecurity efforts and create stress and frustration. Make sure your phishing simulation efforts are designed to engage rather than enrage.
See moreHow to protect against the rising threat of cyber attacksInbox is source of over half of cyber insurance claims: Coalition
