Phishing attacks are a problem. Over the past year, 88% of professionals reported an increase in phishing attacks. It can happen to anyone, at any time.
For many, the go-to solution to this problem is a simulated phishing attack. But for this to be a success, it has to be implemented with care. A once-a-year campaign won’t cut it.
There’s no denying something needs to be done to protect people from phishing attacks. The question is, how do we tackle this problem in a way that actually works?
A continuous and intelligent approach is a must. Work with, not against, people. A non-confrontational approach over an extended period will result in real behavioural change.
With that in mind, here are four key factors to improve the effectiveness of simulated phishing campaigns.
Phishing attacks are sneaky and shifty. When dealing with them, we need to be the opposite.
The key is transparency. We need to make it clear to people we are running a simulated phishing attack. An out-of-the-blue simulation can create resentment that hampers future initiatives. A simulation is not designed to trick people. It is a tool for education designed to help everyone.
Being transparent throughout the process avoids an us-versus-them mentality. We’re all on the same side here.
Empathy has never been more important. To help people protect themselves and others against phishing attacks, we need to put ourselves in their shoes.
Playing the blame game makes things worse. Acknowledge how an employee might react to a phishing simulation. It helps make the experience a lot less stressful for them, and a lot more informative for you.
A simulated phishing campaign needs to be communicated clearly. Avoid creating a culture of fear. Be positive with those who manage the simulation well, and supportive and helpful when behaviour can be better.
3. Context and beyond
One of the main reasons simulated phishing attacks fail is a lack of context. Too often the campaigns occur in isolation and with little follow up. There is no lasting impact on behaviour, apart from disgruntled employees.
A continuous strategy goes beyond a single campaign to help bring about real behavioural change.
Putting simulated phishing campaigns into context requires good planning and communication. We need to move away from ‘who’ and focus more on ‘why’ and ‘how’. Why was someone susceptible to a phishing attack, and how can we help them in the future?
The campaign also needs to be comprehensive. There might be an instance where someone doesn’t click on a phishing link but doesn’t report it either. We need to make sure such responses are not neglected.
4. Awareness is key
A phishing simulation helps us identify areas for improvement. Work with people to bring about real behavioural change.
This can be done with personalised security awareness training. Everyone responds in their own way to phishing attacks. A personalised approach means a simulated campaign is not forgotten as soon as it is over.
With phishing attacks, one errant click is all it takes. It’s important any simulated campaign is followed-up thoroughly with all involved.
Cyber security shouldn’t be a blame game. We need to be supportive of each other in tackling cyber threats.
Simulated phishing campaigns are a great tool in our arsenal, but only if they’re done properly. Empathy, clear communication and having a long-term strategy are vital in making this approach a success.