It seems like we all would’ve learned this lesson from our own experience with mediocre teachers, coaches and bosses. But let’s review: Which statement from a leader would motivate your end users to make some changes?
“You’re the main reason we’re having this problem.”
“Our team really needs your help. You’re the perfect person to solve this problem.”
Easy choice, right? Not so much in the IT world. Despite everything we know about human motivation, we still constantly hear IT and security leaders trying to coax end users into taking security more seriously. Everywhere you turn, someone is calling an organization’s end users “the weakest link” in the cybersecurity plan. It’s especially common in marketing materials and social media posts from security awareness and training providers.
We’re not saying it’s untrue to say that end users are involved in most attacks. But we are saying it’s counterproductive to approach them as a liability rather than asset.
Research shows that about 80% of successful data breaches involve some form of social engineering. But how many of your employees will eagerly embrace a defense-in-depth security culture if you approach them as the problem instead of part of the solution?
Rather than viewing your end users as a weakness to offset, enlist them as frontline defenders. Call them an extension of the security team. Pump them up as a critical piece of the overall data protection effort. Show them that they can personally make your organization safer.
Changing your mindset—and building it into all your communication with end users—provides a solid cornerstone for building a successful awareness and training program that your user base will embrace.
Plan Effective User Training
Recently (though not for the first time) we saw a social media post stating–with passion!–that training end users to spot phishing e-mails is a waste of time and resources. Wrong answer. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work.
Here are a few ways to create training and testing programs that get buy-in from your team:
- Measure progress. Make a detailed plan for measuring your end users’ baseline knowledge and for measuring their progress after training. The baseline information will help you plan training with the proper relevance, timing, sophistication, etc. How can you deliver appropriate training and testing if you don’t know what most of your users already know? We’ve created sophisticated phishing tests with e-mail messages that fool all but the most attentive IT professionals. Anything less would’ve been too easy to truly test the targeted users. But such a difficult test would’ve completely missed the goal if it was aimed at workers who rarely use e-mail.
- Set realistic expectations. Aiming for a zero “click rate” on the simulated phishing messages is unrealistic. Phishing training aims to dramatically lower click rates, not achieve a perfect score. While you may get a zero click rate on an individual phishing campaign, it is highly unlikely over multiple campaigns. The takeaway: Publicly congratulate your users for improving their phishing awareness during your next campaign. Don’t chastise users for failing to get a perfect score.
- Include EVERY user. If you excuse senior leaders from a phishing training program, your end users will know it. And they’ll naturally think, “If the people at the top don’t care, why should I care?” Then the stats from your company’s phishing training and overall awareness/training program will show this attitude. You’ll see more people clicking on simulated phishing messages, and you’ll see people spending less time spent consuming awareness and training materials. Your security culture must start very publicly at the top.
- That means you need to include IT and security teams, too. Even highly trained security and IT professionals fall for phishing e-mails. Include those users in your tests, even if that means customizing the test messages to reflect each user group’s sophistication level. This case study shows how one Pratum customer tested its IT team with some of the most convincing simulated phishing e-mails we’ve created yet.
So, let’s treat end users as frontline defenders, provide testing in a way that engages them, and view phishing training as a control with some of the best ROI in the security business. Ultimately, these will improve your organization’s overall awareness and training results and help with your “security bench strength.”
For help in planning a training program customized for your users’ needs, contact Pratum today.