First, we need to establish your reason for sending simulated phishing emails to your staff.
Are you looking to get an understanding of your current click rate? Do you have a plan in place to utilise the results? Has somebody informed you that you need to be doing it, but you don’t know why?
When done well, testing your employee’s awareness around the inbox provides critical data that can be used to improve your security posture. When done poorly, it can create animosity and distrust towards IT departments and upper management.
So where to begin?
Starting off with a light touch would always be recommended. Sending a link in an email that doesn’t inform the user it’s an actual phishing test will allow you to know who the higher-risk clickers are without causing panic. Having the landing page either redirect to a correct link or display a “404 Page Not Found” image works great at this stage. Remember, this shouldn’t be a “beating with a stick” exercise for unare users.
Once you have an idea of your workforce’s click rate, it’s essential to implement a structured training program to address any issues. Regular bite-size learning works really well at creating good habits.
Highlighting key areas of emails and showing how to spot phishing attempts should be a priority when starting out. This can then transition into more in-depth details that may be more relevant to your specific business.
Consistency is key!
Now that staff are aware that they will be receiving regular training alongside simulations through their inbox, you can get creative with how you want to keep people engaged. Having mini competitions between departments to see who is completing their training on time and clicking the least simulated phishing links can encourage improved security behaviour.
In short, no. It’s not wrong to phish your own staff when done correctly. It is a valuable tool that further protects your organisation and its assets.
Our active fundraising for Air Ambulance is found here we appreciate any donation.
Worried about your company’s computer security? Click here for more information.