Security departments face an interesting quandary: should they run mock spear phishing exercises to train the staff, or simply rely on the technical controls available to them in hopes that they will work to block the attacks from ever reaching the inbox?

The concern most organizations have is whether or not running mock exercises will frustrate their user community and result in negative backlash against the security organization.

At PhishMe, we recognize that staff and employee acceptance of the process is critical in achieving success with a security education program. Irritating users is definitely not the best way to engage and help them learn.

Communication is Critical

PhishMe was designed to make the process of running mock spear phishing exercises open and transparent, as well as help educate the key internal decision makers about the process. This usually starts when a customer uses our free trial license as a pilot or proof of concept. Our team provides live customized demos with the security staff to present to representatives from legal, compliance, human resources and any other groups in the organization that have a vested interest in the program.

We also help our clients communicate directly with the entire staff prior to running a major set of phishing scenarios. A customizable email announcement template is provided that introduces the staff to the process and solicits their involvement. It is often helpful to point out that the primary purpose of the effort is education, making the staff better at identifying attacks that slip through the network perimeter. The announcements make employees aware that the techniques they learn will help to not only protect the enterprise, but can be transferred to their home environment, thereby making them less likely to fall for identity theft scams themselves.

Approached openly and directly, employees appreciate the training value of the PhishMe.com technique.

Making an Impact

With this open and direct approach, our customers receive virtually no negative feedback when implementing the mock spear phishing exercises and see an increased employee acceptance of the process. After a year of multiple scenarios with varied training components, they report the risk of an employee falling for a spear phishing scam on average from approximately 60% down to the 3% - 7% range, a significant improvement to say the least.

Through this process, the keen-eyed employees also become trained to inform security staff and co-workers when they see such an attack, thus creating another effective mitigation control and an increased level of security.

Back to top ↑