Employee testing is a necessary part of a well-executed and flexible security awareness program. For testing to be effective, however, it needs to be well thought-out, making an impression on the employees and evoking a response that will help build your organizational security culture.
There is no single correct way of testing employees: Testing can be as varied as the social engineering approaches employees must be wary of. But some forms of testing can be safely ruled out from the start. Testing shouldn't, for example, include duping or tricking an employee into a response that would compromise the organization. And employees should be praised in public and corrected in private.
If employees click a questionable link or respond to the sender of a test email, penalizing them shouldn't be the default response. Nor is it a good idea to include their test results as part of their performance review. Instead employees should immediately be directed to remedial training that will educate them to the proper response going forward. Educating employees to the consequences of security breaches will increase their security awareness.
If the employee—or the department—handles the challenge correctly, they can be recognized or rewarded. This can be as simple as mention is a company newsletter, or the award of a token of appreciation. The purpose of testing is to measure or uncover areas where training may be needed and to focus on preparing the employees for real-life social engineering attacks.
Consider a lesson from military reform. When the US Army established its combat training centers in the 1980s, one of the centers' first principles was that they weren't administering a test that a unit could fail (or for that matter excel at). Instead, units received feedback in after-action reviews. Their self-analysis in the post-morten became the most important source of their learning.
Social engineering and cyber security testing and education should never be presented or viewed as “punishment", but as a way to stay safe online in the office and at the house. New-school security awareness training is interactive and aims at helping an organization build your security culture. Infosecurity has the story: https://www.infosecurity-magazine.com/next-gen-infosec/reward-flag-phish-highlight-failed/
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks?
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: