Step 1: Acknowledge you need it and why.
With security awareness training, the first step is usually someone saying, “We need to do phishing training.” Why? Phishing is the most common type of security awareness training, and people just know it has to be done.
Creating a culture of security has endless benefits, including letting employees work from where they want, when they want, while protecting and securing your company’s data. Security affects everyone—not just the IT and InfoSec teams. It’s important to get everyone on board and make sure employees from the bottom up know how to react to security threats like phishing.
Step 2: Don’t spend too much time on vendor selection.
Companies that are just starting to create a security program or that are reviewing their security awareness training program usually start with a deep dive into vendor selection. But you’re smarter than the average security pro!
Phishing simulation platforms and vendors are a commodity. There are plenty of open-source, free, and paid tools out there—and every vendor is doing the same thing, so don’t spend a ton of time POCing different vendors. The vendor’s platform won’t make or break your phishing program. Success is determined by how you strategize, plan, and manage your program—all of which happen outside the platform.
What about smishing? Smishing, or SMS phishing, requires a specialized vendor and more processes, so it’s important to really consider the goal and impact of running a smishing campaign. If you do pursue a smishing simulation program, consider high-target roles (e.g., the C-suite) or specific individuals who might be at higher risk for responding to a smishing campaign (e.g., the sales team).
Step 3: Set up a “report phishing” button.
If employees have no way—or don’t know how—to report phishing in the first place, you’re starting at a negative. Most vendors offer a “report phishing” button as part of the platform, or you can implement the Microsoft Office 365 button.
A “report phishing” button lets employees notify IT or security teams of suspicious emails with one quick click, and its very existence as an available action reinforces your company's security culture. Once reported, the email is removed immediately from the inbox so the employee isn’t tempted into clicking just to see what happens.
Step 4: Create a strategy and identify repeat responders.
Before you even start playing around with the phishing platform, create a strategy and internal policy. The strategy and policy should include timelines and all steps that follow this one (technical setup, communications, and the actual launch) and should be decided upon with an advisory board or steering committee comprising key stakeholders, including:
- Corporate communications manager(s)
- HR manager(s)
- InfoSec manager(s)
- GRC (governance, risk, and compliance)
Why? As you introduce the concept of the program, it’s crucial for people to understand the “why” and “how” of what you’re doing and to not make assumptions. This will also allow managers to keep their teams updated on the program. Remember, the goal of the phishing program is not to “test” people—it’s about security awareness reinforcement and education.
Next up—and this step is non-negotiable—identify what repeat responders look like and how you’ll coach them toward the right habits. Repeat responders are typically identified as people who respond to four or more phishing simulations within a six- to 12-month rolling window, which allows the natural learning component to take effect.
By setting the requirement of four campaigns, you can often reduce the actual number of repeat responders to less than 2 percent of your population. In comparison, identifying repeat responders after only two campaigns could result in 50 percent of your population being labeled as repeat responders, which is neither manageable nor effective. Phishing training takes time—give it time, and give your coworkers time to adapt and learn. Then, work with that smaller number of employees directly to effect change.
Resist the urge to think of repeat responders as repeat “offenders”—they’re just responding to training, which is a good thing. It’s the whole point of the training program, right?
Also, the great thing about these employees is that you don’t need to do anything with them. Just accept that there’s a learning curve, embrace the fact that the average employee engages with at least four campaigns, and label these individuals as repeat responders.
While strategizing how to coach these responders toward ideal habits, we recommend waiting for the magic moment between the third and fourth campaign where the response percentage drops into the single digits. Once you’ve got a crop of repeat responders in the single digits, create an outreach program to deliver the tools and support they need to adopt the right habits.