Phishing Defense: Train Often to Avoid the Bait

Phishing Defense TrainingSurveys, unfortunately, show that the vast majority of organizations do little to no security awareness training. The average organization, if it does security awareness training, does it once annually, likely as part of a compliance program.

It is not enough 
We know from customer data collected, involving many tens of millions of records, over 10 years, that the more frequently an organization does training and simulated phishing, the better able their staff is able to spot phishing attacks (an example table shown below). 

Since phishing is involved in 70% to 90% of successful data breaches, until a perfect technical defense is found, security awareness training is one of the best things you can do to reduce cybersecurity risk.

How Frequently Should You Train?
The data is fairly conclusive on that answer – as much as you can. We think the sweet spot for most organizations is training once a month with weekly simulated phishing campaigns. New employees should be given long, general cybersecurity training along with specific training on phishing attacks. Anti-phishing training should include examples of popular phishing attacks and teach the participants how to recognize, mitigate, and appropriately report all phishing attacks. The longer training should be repeated at least annually. Most companies require it for every employee in December or January, but really it can be anytime.

You should do simulated phishing campaigns at least monthly, and really once a week is what the top decreasing risk performers do. The simulated phishing campaigns should reflect the most common real-world attacks. The best-case scenario would be to take a recent real-world phishing attack against the organization and send out a simulation test mimicking the real-world phish. You can easily do this with our PhishFlipTM technology. PhishFlip takes a real-world reported phish, replaces the malicious URL links with something safer, and then sends it out to your users. You can quickly quantify how many of your users would have been tricked by the real-world phish had it been sent to all users. 

If you are wondering, you should definitely conduct regular simulated phishing campaigns. Years ago, many companies wondered if they needed to do simulated phishing and some even worried about the legal consequences. As long as you let your users know that you do simulated phishing tests, the legal consequences should not be a problem (that and also use due care and get senior management approvals when using controversial subjects). 

But for sure, you should do simulated phishing campaigns. Almost every organization does them today, but there are still a few hold outs. Our data shows that the education provided by simulated phishing tests is likely to be more protective than general cybersecurity training by itself. This is especially true if your simulated phishing tests give users failing those tests immediate feedback on what they missed (as exemplified below).

Nothing beats immediately seeing what you missed and should focus on next time.

Our core best practice recommendation is that longer training is done when an employee is hired, and annually thereafter. Shorter training and simulated phishing tests done at least monthly during the year. The best performing organizations do monthly training and weekly simulated phishing, and some do it even more frequently. 

How Much Is Too Much?
Some organizations do weekly training and more than weekly simulated phishing tests. According to our data, their users are best at spotting phishing messages. Still, this level of training and simulated phishing may be too much for most organizations. At some point, your users might push back and argue that their operational efficiency is being challenged. 

While we think every organization should be doing at least monthly training and simulated phishing tests, how much more you do beyond that best practice recommendation is up to you. Some organizations thrive with more frequent training and testing, and others with less. Each organization will need to find its best cyclical rhythm. What we can say unequivocally is that you should be doing training and testing at least once a month. Any less than that significantly undermines phishing message recognition. 

If your organization is only doing annual training (or no training) and less frequent than monthly simulated phishing campaigns, try to move your security awareness training program to an at least monthly cadence. Your risk managers will love you for it.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews