We occasionally learn of articles and papers that claim that security awareness training and/or simulated phishing campaigns are not effective. We don’t want to disparage what these individuals have found in their own experience, and we encourage everyone to find out how various social engineering mitigations work for themselves and their environments.
Social engineering is the number one root cause for successful compromises, so finding out what works to prevent it is the most important thing organizations can do to fight criminal hackers and their exploits.
Simulated phishing is an extremely helpful tool to assist employees in recognizing potential malicious phishing attacks. To be successful in this, the simulations, timing and policies surrounding them must be well managed, using established best-practices.
KnowBe4 has more data on the real-world improvement of employee performance in identifying phishing emails —simulated or real—than any other organization.
We publish yearly phishing benchmark reports that show the significant improvements that can be achieved with new-school security awareness training programs like this, but again, this is only relevant if the simulations are being executed properly.
Some of these key elements of a properly managed simulated phishing program are:
- Frequency: Testing too infrequently is the biggest culprit. If you only go to the gym once a quarter, you're going to get all the pain and none of the gain. But if you go on a regular basis within reasonable intervals, you will see strong gains and the 'pain' will be minimized. Monthly phishing tests combined with short, varied training reinforcement are extremely effective.
- Difficulty and variety: Repeating the same basic phishing test over and over again will make users tune them out. Changing up the type of simulated attack, including the use of real-world phishing attacks that have been de-fanged will develop a variety of skills among users. See our PhishFlip feature.
- Policy & Culture: Phishing failures do indeed create a teachable moment. And how employees react to phishing failures is driven by your company culture. Is it punitive, or is it positioned as a 'fun game' that doesn't have negative consequences? Many organizations have found that turning them into a positive and even rewarding experience accomplishes more as employees are eager to engage. Gamification has become a very popular trend that changes employee attitudes about phishing simulations.
- Communication: Do users understand why they are being sent simulations? Have C-level execs communicated to the employee base the importance of a strong security culture to protect the organization and their customers? Do users know the risks to the company? Effective communication, either by executives, HR, or the security awareness administrator helps users better understand that it's not intended to be a 'gotcha'. It helps them to stay safe not only at the office but also at the house.
Are simulated phishing programs the only way to properly educate users? There is no silver bullet. We have conclusive data that clearly shows that users who only receive training are substantially more likely to click on a phishing email. Likewise, only running phishing simulations without taking users through frequent training reinforcement will also fall short.
Every organization is different, each with unique strengths and weaknesses within their security culture. At KnowBe4 our recommendations are based on the world's largest dataset of user training / phishing behavior: 60,000+ customers and 50+ million end-users. So our recommendations are are intended to be best practices across all organizations globally. Individual orgs can determine the appropriate steps needed based on their own unique situation in order to strengthen their security culture.
A funny unintended consequence...
It's been observed that on occasion users will intentionally click on a phishing simulation because they know they'll receive the next episode of the extremely popular live-action The Inside Man awareness training. This is a clear example that the phishing simulations (and the engaging training content) are working. They are identifying these phishing attacks successfully and are taking intentional action.
While not exactly the behavior you may be looking for, it's showing that users are vigilant and displaying a positive security culture. To help organizations with that, KnowBe4 has an 'optional learning' feature you can offer to your users so they can voluntarily seek out interesting training content and get their next badge.