As security professionals, we invest a lot of time and money in training our employees to recognize and avoid phishing emails. However, it's inevitable that at some point, someone will click on a simulated phishing test. It's important to know how to handle this situation when it arises. The worst thing you can do is to punish and fire employees who click. Instead, you should use it as an opportunity to teach and reinforce awareness measures. Today we will discuss the best ways to approach employees who accidentally click on simulated phishing tests and how to use this as an opportunity to improve overall security strategy.
Why do we do phishing tests in the first place?
Phishing is by far the largest threat when it comes to human vulnerability inside the workplace. Companies perform phishing simulations as a way of testing and assessing the vulnerability of their employees to cyber-attacks.
Through these simulations, companies can identify areas that need improvement in their staff's understanding of cyber security and develop training programs to help them better protect against malicious threats.
Phishing tests give you data about how your company is progressing through risk reduction, but it’s how you handle the testing that moves your company forward.
When someone clicks on a phishing simulation, this is when they most aware of what just happened, the feelings they had, why they clicked, and this makes them vulnerable yet open for information. This is the moment where you can make or break your security awareness efforts.
What to do when they click
Don't Punish Them
The first and most important thing to remember is that employees should never be punished or fired for clicking on phishing tests. Punishing them will not only harm the morale of the employee but may also dissuade others from reporting phish emails in the future.
Think of it this way. An employee who clicked on a phishing email, real or simulated, at least has the real-world experience and future knowledge of the threat. If you fire them, you’ll just replace them with someone with zero exposure to phishing at your company. Is this really better?
Use phishing tests as a vehicle for training, not a list of trouble employees. Be extra wary of this when providing reporting data to other areas of the company, including the executive team.
Engage in Positive Reinforcement
Instead of punishing, try to engage with positive reinforcement. Provide support and acknowledge them for taking the test and help educate them on these simulated phishing tests. Reinforce the idea that they did the right thing by following your procedures and report it. Positive support can stimulate desired behavior in employees which can create a culture of security.
Many companies we work with keep a Slack or Teams channel open where employees can provide and receive shoutouts for completed training and reported phishing tests.
You can also run incentives, games, etc. to turn the exercise into a fun positive endeavor for the company.
Provide Additional Training
After an employee clicks on a simulated phishing test, it's an excellent opportunity to provide additional training. The training should aim to explain and expand the possible phishing scenarios that the employee might encounter. The effects of these kinds of enhancements can save the company from many potential security breaches.
At Hook Security we provide what’s called an Instant Training Moment right at the point of failure. This training video is short and funny, but shows exactly what red flags they missed in the email, common things to look for,
Conduct Regular Testing
Conduct more regular simulated phishing tests to help employees recognize not just phishing emails but also think about how each email will bring the company's reputation down. Regular testing helps to reinforce the importance of vigilant behavior and ultimately protects the organization.
Provide a Way to Report Phishing Emails
While we want employees not to click on phishing tests, this doesn't give us the best data as to how resilient and proactive your company is when it comes to phishing. Provide a plug-in in your team’s email that allows employees to report suspicious emails to your IT team.
At Hook we call ours Hookmail and it allows users to scan, review, and report suspicious emails. It also gives them instant feedback if it was a phishing simulation from our platform.
Seek out feedback from employees
Give employees an opportunity to provide feedback on the simulation tests. By doing so, you show that the organization is committed to creating a safe culture, as well as it provides you with first-hand information on what might be causing the mistakes. From the feedback, you can measure how employees respond to the training, and you can enhance the training measures periodically.
In summary, clicking on a simulated phishing test doesn't mean an employee is careless or should be punished. Constructive measures should be encouraged; feedback and training should be provided regularly to improve security awareness.
An organization/ security leader should work towards providing a safe culture where employees are not only supported as they learn but feel comfortable reporting any email they received. By doing so, your organization can benefit from employees who are more equipped to detect phishing emails, notice irregular activity, and, ultimately, protect your organization from cyber-attacks.