As part of our Behave Series last week, we talked about multi-factor authentication (MFA), and how to encourage your people to adopt it.
This week, we’re diving into phishing simulations. They’re particularly useful for finding and filling the security cracks in your organization. So, needless to say, we’re big fans.
But running a phishing campaign isn’t something you should take lightly. Case in point, the following cautionary tale:
It was April 2021…
And the staff at West Midlands Trains (WMT) were exhausted. For the past year, they’d kept the regional railway service going through the COVID-19 pandemic—dealing with a slew of new rules and restrictions, and, of course, sick coworkers.
So, when they received an email announcing a one-off bonus in recognition of their hard work, they were touched by their employer’s appreciation for their sacrifices. But when they clicked through, the truth was revealed: it was a phishing simulation. Psych!
The effects were explosive. Employees were, understandably, hurt that their bosses exploited the situation, all in the name of a cybersecurity ‘learning moment’. The result? Anger, disillusionment, and lingering mistrust.
The incident hit the headlines, WMT’s reputation, and its bottom line.
The moral of the story
In all fairness, WMT got something right: security awareness isn’t enough. People learn better by doing, which means phishing simulations can turn gray 2D theory into 3D technicolor behavior change. That’s because when we encounter a problem in the real world, we get to practice and consolidate our knowledge.
Furthermore, data from simulations helps organizations understand their risk. With the right metrics, you’ll find out what the most vulnerable departments are, who’s most likely to perform high-risk actions, and what’s driving their behavior.
All WMT’s simulation did was prove that the email was effective, to the detriment of its people. And the impact the simulation could have on its people was either overlooked or disregarded.
When it’s all said and done, anything that negatively impacts your people’s well-being is detrimental to your organization. WMT learnt that lesson the hard way. And it’s the same reason punishment is NOT helpful.
Take this 2020 study for example. It examined outcomes when staff were punished for ‘failing’ phishing simulations. Penalties included losing a bonus or being forced to complete extra training.
Admittedly, the punishments worked … in a way. Security behaviors improved. But this came at a cost: anxiety and a sense of injustice festered among staff. Just like WMT staff, their mental well-being and trust in their employer decreased.
Alright, so what’s the right way to run a phishing simulation?
It’s well worth having phishing simulations as part of your cybersecurity toolkit. However, like any tool, it can cause more damage when used incorrectly. When done right, phishing simulations should help you understand people’s behavior, and, ultimately, reduce your human risk.
Here are some things to remember when planning a phishing campaign:
Benefits, not blame. Don’t blame or penalize people. Instead, highlight the training benefits and offer support when it’s needed.
Transparency = trust. Be open about your phishing campaigns. This will avoid making people feel like they’re under surveillance.
Fast feedback. Contextualized, timely feedback helps people make better security decisions.
Walk away from the stick. Punishment doesn’t pay—the research tells us so.
What’s the motivation? Stop focusing on click rates and report rates. Start focusing on why people do what they do, then base follow-up training on that.
Reward positive behavior. If someone does something right, recognize their efforts, show some gratitude, and build on the good culture.
Phishing simulations should help you figure out what drives behaviors, and reduce your human risk. And not at the cost of your relationship with your people—or their well-being.
Want a step-by-step guide on effective phishing campaigns? Download our free phishing eBook.