Phishing is big business. Each year, businesses lose millions of dollars to phishing scams and other “social engineering” attacks. So naturally, sysadmins are interested in helping their users to identify and avoid these threats if and when they hit their inboxes.
So, more and more organizations are phishing their own users to train them to avoid real phishing attacks. Several companies allow you to send customized messages to your users that mimic real phishing attacks, and then monitor who ends up getting phished. This helps them to give these users more training to avoid scams in the future.
But, before you blast your users’ inboxes with tricky messages, there are a few things that you'll need to keep in mind.
Have a Plan
Why do you want to give your users phishing training? Is your company or industry particularly at risk? Have any of your users been victims of phishing attacks recently? Answers to these questions will help guide how you develop your training plan.
For general awareness, many training courses are available that will help your users to become familiar with scammers’ tactics. But, if you have real-world examples that you can use to guide your curriculum, that is even better. Or if you know that some employees may be more vulnerable to certain scams, like those who handle payroll, you can make sure that they can get additional training to stop those scams.
Get Management Buy-in
A big thing that can affect the success of your training program will be how seriously the employees take it. The surest way to get them to take it seriously is to get the bosses to take it seriously as well.
Management and even executives should be trained and tested just like regular employees. After all, they are just as at risk of being phished, but the cost of a successful attempt is much higher.
Human Resources will also likely want to be involved, since they would be the ones to determine how the results of the testing are used. Will the employee need to repeat the training? Will it be brought up at a future performance review? All of these are HR decisions, rather than technical ones, so the appropriate management should be given a say.
Have a Goal and Be Realistic
Ask yourself and your team what you hope to accomplish with phishing training. What are the conditions that would make it a success in your eyes?
At this stage, it's good to be realistic with what you will accomplish, at least on the first try. Many may still fall victim to your test phishing attempts, no matter how obvious they are or how good the training is. But, some training is better than none, and it will help your company to be more secure against these kinds of attacks.
E-N Computers is the leading provider of business-focused IT solutions in Virginia, Maryland, and Washington, D.C. Contact us today to discuss how we can help your company to stay secure against the latest cyber threats.