As part of our Behave Series last week, we talked about multi-factor authentication (MFA), and how to encourage your people to adopt it.
This week, we’re diving into phishing simulations. They’re particularly useful for finding and filling the security cracks in your organization. So, needless to say, we’re big fans.
But you might want to sit down for this one.
If you haven’t been phished, then you probably think your phishing simulations are working. If you have been phished, then you probably think your new simulations are working and that it won’t happen again.
And those are pretty reasonable assumptions.
Or are they?
How can you be sure that you haven’t been phished? Or that you won’t be phished again?
Well, you can’t. People don’t always report phishing emails. People don’t always know that they’ve been phished. People slip up.
What you can do is lower the chances of those slip ups. Lower your risk. That starts with doing phishing simulations the right way.
For now, let’s look at the main reason your phishing simulations aren’t reducing your human risk.
Ya Basic
Yup, you’re basic. That’s it. We said what we said!
You use click rates and report rates as a measure of success. You think tick-box awareness training is an appropriate intervention. You call it quits after a couple of weeks.
Ya basic.
If your phishing campaigns aren’t designed to influence security behavior—and if you’re not consistently measuring those behaviors—what are you even doing?
You’re not lowering your human cyber risk, that’s for sure.
Yeah, yeah, your click rates are going down. But so what? They’re just going to shoot back up again when you send a convincing phishing email. If it looks legit, they’re gonna click.
Yeah, your people are attending awareness training. But how many people drink two liters of water and floss everyday? Awareness doesn’t mean sh*t. It doesn’t translate to behavior change.
And don’t even get us started about your quarterly one-and-done simulations.
“But that’s how everyone does it!”
Yeah, because they’re basic too.
The industry’s been stuck on the old way of running phishing campaigns for far too long. There’s a better way. An effective way. A way that can actually help you reduce your human cyber risk.
And we’re going to tell you all about it as running a phishing campaign isn’t something you should take lightly. Case in point, the following cautionary tale:
It was April 2021…
And the staff at West Midlands Trains (WMT) were exhausted. For the past year, they’d kept the regional railway service going through the COVID-19 pandemic—dealing with a slew of new rules and restrictions, and, of course, sick coworkers.
So, when they received an email announcing a one-off bonus in recognition of their hard work, they were touched by their employer’s appreciation for their sacrifices. But when they clicked through, the truth was revealed: it was a phishing simulation. Psych!
The effects were explosive. Employees were, understandably, hurt that their bosses exploited the situation, all in the name of a cybersecurity ‘learning moment’. The result? Anger, disillusionment, and lingering mistrust.
The incident hit the headlines, WMT’s reputation, and its bottom line.
The moral of the story
In all fairness, WMT got something right: security awareness isn’t enough. People learn better by doing, which means phishing simulations can turn gray 2D theory into 3D technicolor behavior change. That’s because when we encounter a problem in the real world, we get to practice and consolidate our knowledge.
Furthermore, data from simulations helps organizations understand their risk. With the right metrics, you’ll find out what the most vulnerable departments are, who’s most likely to perform high-risk actions, and what’s driving their behavior.
All WMT’s simulation did was prove that the email was effective, to the detriment of its people. And the impact the simulation could have on its people was either overlooked or disregarded.
When it’s all said and done, anything that negatively impacts your people’s well-being is detrimental to your organization. WMT learnt that lesson the hard way. And it’s the same reason punishment is NOT helpful.
Take this 2020 study for example. It examined outcomes when staff were punished for ‘failing’ phishing simulations. Penalties included losing a bonus or being forced to complete extra training.
Admittedly, the punishments worked … in a way. Security behaviors improved. But this came at a cost: anxiety and a sense of injustice festered among staff. Just like WMT staff, their mental well-being and trust in their employer decreased.
Alright, so what’s the right way to run a phishing simulation?
It’s well worth having phishing simulations as part of your cybersecurity toolkit. However, like any tool, it can cause more damage when used incorrectly. When done right, phishing simulations should help you understand people’s behavior, and, ultimately, reduce your human risk.
Here are some things to remember when planning a phishing campaign:
Benefits, not blame. Don’t blame or penalize people. Instead, highlight the training benefits and offer support when it’s needed.
Transparency = trust. Be open about your phishing campaigns. This will avoid making people feel like they’re under surveillance.
Fast feedback. Contextualized, timely feedback helps people make better security decisions.
Walk away from the stick. Punishment doesn’t pay—the research tells us so.
What’s the motivation? Stop focusing on click rates and report rates. Start focusing on why people do what they do, then base follow-up training on that.
Reward positive behavior. If someone does something right, recognize their efforts, show some gratitude, and build on the good culture.
Phishing simulations should help you figure out what drives behaviors, and reduce your human risk. And not at the cost of your relationship with your people—or their well-being.
Want a step-by-step guide on effective phishing campaigns? Download our free phishing eBook.
