Phishing testing is a core part of any solid security awareness training program. It's more important than ever that your employees know how to spot and avoid phishing, and sending them simulated phishing emails is a great way to identify risk and help your people see what they should look for.
But sometimes, there are a few employees that need some additional training. Maybe it hasn’t clicked with them, maybe they're just too trustworthy, but they seem to be clicking on all sorts of things both real and fake.
In this guide, we’re going to walk through how to provide additional phishing awareness training to the most vulnerable users in your company.
Who are my Most Vulnerable Users?
When looking to provide supplemental training, first you need to properly identify who your most at-risk employees are.
The most obvious places to look first are real-world situations. Have any users clicked on real phishing emails in the past? Do certain employees have trouble grasping security and technology? If you are already running phishing simulations, your reporting will easily show this to you.
If you don’t have large enough list yet, or you’d like to create this list automatically over time, you can create a threshold that will place users into the list, such as number of times clicked on a phishing test, or if they do something really detrimental, like entering company credentials.
There are two ways you can deliver additional security awareness training to your employees: Manually or automatically. We’ll go over both.
How to Manually Enroll Users in Additional Training
Using the testing center tool, you can easily enroll any number of users into all sorts of training courses. When enrolling users, you can either individually add users to the course, or all at once by creating a new group beforehand.
Before enrolling targets, make sure to add courses from the course library, or create your own.
From the Main Menu, go to Courses > Manage Enrollments and click the plus button.
Once on the Enroll Students page, you can choose to enroll by target or group. For enrolling by group select "group" out of the Enroll by drop-down menu. Then, select your group(s) to enroll under the "Group" drop-down.
For enrolling by targets, start typing the email address of the target in the Targets field.
Note: It will not search by name. Make sure to enter a valid email address. After clicking 'Add', verify that a valid email address is in the added targets field, e.g., firstname.lastname@example.org. Students can be enrolled only if they exist as a target within the system.
Once the email address starts generating, click on the email, then click Add to add it to the box of Targets below. If you do not click Add, the email will not be a choice for enrollment.
The next step is to choose which course(s) or program(s) you'd like to enroll your targets or group into.
Click “Enroll” to enroll the targets or group in the selected course. If done correctly, a green success bar will appear on the top of the window. If you would like to download the enrollment results, you can choose the "Download Results" button. This will download a CSV file containing the results of the enrollment (which targets were enrolled into what courses). Each student that you attempted to enroll into the course will have an entry in the CSV file. Each entry will have a "Status" column. If the status is "Enrolled", then the student was enrolled into the course. If the status is "Filtered", then the student was not enrolled into the course because of being previously enrolled.
Once you’ve enrolled your users you can track their completions by generating a new report in the Reports Generator.
How to Automatically Enroll Users in Additional Training
Sometimes you don’t know who needs additional training. Or, in some cases, you won’t know until they take an action or number of actions. With Auto-Enrollments, you can set certain settings that will automatically enroll users in a course if, say, they:
- Fail a phishing test
- Fail multiple phishing tests in a given period of time
- Take additional wrong action on a phishing test (like entering info or downloading a file)
Here’s how to set up Auto Enrollments:
When setting up a new phishing campaign, you’ll notice a tab that says “course auto-enroll”.
The course auto-enroll step allows you to auto-enroll targets into selected courses based on their failure type on a group-by-group basis. Each row represents a different group that is being tested. If you have selected courses on the Edit Group page, these will be prepopulated for you here.
Here are the different types of trigger options for auto-enrollments
Email Click Actions: Targets who click links in phishing emails will be enrolled in courses in this column.
Landing Page Actions: Targets who enter data or click links on landing pages will be enrolled in courses in this column.
Reply Action: Targets who reply to reply-to phishing templates will be enrolled in courses in this column.
Repeat Offender: You can specify a course that targets will get enrolled into if they fail x number of tests in the last y weeks/months/years.
Once you have selected the courses in which you want to auto-enroll targets, click "Save & Next" to move to the next step of the campaign wizard.
Now, as this phishing campaign goes out, these settings will apply, and automatically enroll users in courses should they take the specified actions.
Again, these enrollments and course completions can be tracked in the Reports Generator.
Additional training is the best way to help employees who are struggling to grasp cybersecurity topics or continue to put you at risk. Again, we don’t recommend heavy punishment or firing for clicking on phishing tests.
Hypothetically your most secure employees are the ones who have been through the ringer of phishing and understand it backwards and forwards. That doesn’t come without training and experience.