If you want to succeed with your organization's security awareness training program, here are some of the top "faux-pas" we have seen over the years that you should be sure to avoid:
1) AVOID: Singling out employees that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on. This will only leave them with a bad taste in their mouth and you can be sure any future training will not stick.
2) AVOID: Sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions. Users need to constantly be kept on their toes in order to have a measurable effect on security behavior.
3) AVOID: Sending the same phishing template and omit to randomize the templates to each employee, and running campaigns on predictable times like every Monday afternoon. Users will talk to each other so if they're all getting the same email, one gets it and warns the others. This method will NOT give you a true measure of clickers.
4) AVOID: After the baseline, starting out with 5-star templates that are too difficult to identify. It's much more effective to build up to the hardest tests gradually.
5) AVOID: Sending only phishing attacks and omitting stepping employees through their on-demand, interactive security awareness training. Users will never fully understand the problem and know what to avoid without the training.
6) AVOID: Forgetting to emphasize that this program will also help them to keep their family safe online.
7) AVOID: Forcing the program through your employee's throats, and omitting getting C-level air cover for the program and get as much buy-in from the get-go as possible. It's important for the whole organization to be on the same page to ensure program success.
8) AVOID: Neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.
9) AVOID: Not reporting the positive results to the stakeholders with graphics and relevant industry benchmarking to show improvement. Some of our customers even give users with low click rates rewards to reinforce good security behavior across the organization.
10) AVOID: Not having a good procedure/process that allows employees to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.
So, How To Do It Right The First Time?
IT pros often don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. We’ve taken away all the guesswork with our new Automated Security Awareness Program (ASAP).
ASAP is a revolutionary new tool for IT professionals, which allows you to create a customized Security Awareness Training Program for your organization that will help you to implement all the steps needed to create a fully mature training program in just a few minutes!
If you have a current KnowBe4 account (free or paid) just login to your console, click on ASAP at the top right and get started!
The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. Your custom program can then be fully managed from within the KnowBe4 console. You also have the ability to export the full program as a detailed or executive summary version in PDF format, use it for compliance requirements, and reporting to management.
The process of creating the program is simple enough, answer between 15-25 questions about your goals and organization, and a program will be scheduled for you automatically. The program tasks will be based on best-practices on how to achieve your security awareness goals. You have an easy calendar view to plan and deploy your security awareness program.
- 15-25 questions depending upon answers
- Suggested training materials based on answers
- Choose and change your program start date and tasks
- Calendar and list view of tasks
- Dashboard with program status, % complete, tasks overdue, etc.
- Detailed and summary exportable PDF versions of your program
- Fully mature awareness program ready in 10 minutes
If you do not have a KnowBe4 account yet, (free or paid) find out what YOUR program will look like. There is no cost… Start ASAP!
Don't like to click on redirected buttons? Cut & paste this link in your browser:
PS: If you’re a current KnowBe4 customer, just login to your console, click on ASAP at the top right and get started!