When you start implementing phishing awareness training programs in your organization, it can be tempting to trick your employees into making a mistake. After all, you want them to be wary of every single link that lands in their inbox and their phone messages, right?
Here’s the thing - no training program should be punitive, and your phishing awareness training program is no exception.
If you want to teach employees how to recognize phishing emails, you need to show them how, not shame them for their lack of knowledge. Here’s why.
Why Deceptive Security Awareness Training Always Fails
With security testing, there is a degree of wanting to see how your employees act in a real-world environment. Many organizations believe that, by deceiving their employees, they can take a base percentage of how many employees click on phishing emails, against which they can monitor the effectiveness of their phishing awareness training later on.
The biggest problem with this is that you’re assuming that employees won’t care that they’re being tricked. Furthermore, you’re assuming that having a negative experience with your phishing awareness training will inspire them, not make them anxious to take part.
Think of it this way - in high school, many of us had a bad time in gym class. How many of us were put off the idea of taking part in sports or going to the gym because of it?
The same concept applies to your phishing awareness training.
Your employees aren’t going to feel positive about making a mistake, particularly in a situation where they don’t know that they’re being tested in the first place. So, instead of creating a positive environment, you instill a ton of anxiety around further attempts at deception in the future.
Of course, this isn’t what you want - you need your employees to apply themselves to your security training. And, you need them to learn from their mistakes and be willing to apply what they’ve learned in the real world.
Phishing Awareness Training Gone Wrong
There is a fine line between testing your employees to help them learn how to spot phishing attacks and creating a high-tension, low morale workplace. In fact, some recent phishing test mistakes have made the news.
Tribune Publishing recently sent a phishing simulation email saying the company was giving bonuses of between $5,000 and $10,000 as a result of successful cost-cutting efforts. When employees clicked on the email they were surprised to see that this was merely a phishing awareness test and that the bonus was in fact not real.
This caused major backlash at the company, including some resignations.
An important thing to remember in any security awareness training program is that it must be built on respect between IT and the rest of the company. A common counterpoint for sending devious phishing simulations is that real cybercriminals don't care about your employees and their feelings. This may be true, but they also have zero obligation to treat the employees in your organization with respect and empathy - Your security program does.
Common Phishing Tests to Avoid
Phishing testing is a powerful way to identify risk, and coupled with good training materials, can dramatically reduce your cyber risk and raise security awareness.
But...these are also your coworkers (or customers). They have work to do and morale to maintain. Your phishing testing should be realistic and effective, but be careful not to toe the line too far into mass panic and angry, frustrated employees.
Here are some phishing tests to probably avoid:
- Teasing raises or bonuses
- Reporting medical data
- Anything that might do more harm than good
So, how do you put a positive phishing awareness training course into action?
Teach Employees First
Seriously - before you even send the first phishing email, you need to teach employees what to look out for.
Not everyone’s going to be working with the same level of knowledge. There’s a good chance that you’ll have employees who start looking at Lamborghinis when a Nigerian prince says they need to move money around working alongside people who won’t open a document unless their boss has told them to expect one in their inbox.
So, you need to show employees what to look out for with some real-world examples of phishing emails. And, more importantly, you need to make it engaging and personal. Encourage employees to point out suspicious things in your email examples.
Phish Your Employees
Of course, the main part of your training will be attempting to phish your employees. However, there are two main things you need to remember here:
- Employees need to be aware that these phishing attempts will be taking place
- You need to deliver positive instant phishing awareness training if your employees do click on a phishing link
We’re not saying you need to take the surprise out of your phishing attempts. At the end of the day, you still want your employees to be on the lookout, and emailing them to say they will be phished doesn’t result in the real-world behavior you want to see.
However, you should still tell your employees that as part of the phishing training, they will receive phishing emails at some point. You should also make it clear that, if they click on the link in that email, they won’t be punished or reprimanded, but they will be delivered additional training to help them learn from their mistakes.
That way, you can still gather real-world information about how your employees are applying your phishing awareness training without creating an aversion or anxiety to your training. \
Related: How to Send an Effective Phishing Test
Gamify the Process
Gamification is a hot topic in employee training, and for good reason - it makes your training interesting and encourages participation. As part of this, you should offer recognition for all employees who complete security awareness training courses and rewards for teams that perform well.
We recommend rewarding teams over individuals because this can create a degree of positive peer pressure that helps your phishing training stick. Incentivizing a team to maintain a low percentage of phishing email clicks can lead to your employees making positive changes, like telling their peers to expect a document from them or to be wary of an email they received.
On the flip side, low-performing teams shouldn’t be shamed or “outed” to their peers. Rather, they should be offered additional training that they can work on at their desk, which can encourage them to learn from their mistakes without worrying about judgment from their peers.
Again, because these phishing attempts are expected, encouraging teamwork in this way can turn your phishing training into a positive experience that brings employees closer together. It’s a powerful way to teach your employees practically while making the experience fun and engaging.
Don’t Trick Your Employees into Failing Phishing Tests
Even though teaching employees to recognize phishing attempts is vital for your business’s cybersecurity, even the most perceptive of employees will make mistakes. What’s important is that they’re encouraged to learn from their mistakes and rewarded for getting things right.
At the end of the day, no one likes failing a test they didn’t know they were taking. Even if you implement positive point-of-infraction training, your employees can be left feeling ashamed of failing and distrusting of your organization if they don’t know to expect a test.
Teaching your employees how to recognize a phishing attempt and telling them they will be tested sets them up for success. Your phishing awareness training will perform far better with positive reinforcement and a culture that celebrates learning than with deception and shame.
Launch Effective Phishing Awareness Training to your employees.
With Hook Security, you can easily launch, measure, and automate your phishing testing campaigns that help you create an effective training program.
Get a 7-day Free Trial today and see how easy it is to get started.
