With a phishing simulation, you can sensitize employees to IT security over the long term. Find out what to look out for to ensure the learning success of the participants.
Why Phishing Simulations?
Cyber attacks, particularly successful phishing attacks, have
increased dramatically in recent years. The BKA and Bitkom report unanimously in current
reports on the threat situation in cyberspace. According to Avanan's Global Phish Report 2019, a
quarter of these phishing emails made it through Microsoft's sophisticated
filters and ended up in the users' inboxes. Technical filters alone are no longer
sufficient to reliably protect against cyber threats. The
attackers invest time and resources in circumventing filter solutions, for
example by changing the vectors used. Many attacks are also aimed
specifically at users and use psychological tricks, to
manipulate the victim for criminal purposes through social
engineering.
Companies are particularly at risk because criminals hope to
be able to steal particularly large sums of money here. Phishing
attacks are particularly common in times of crisis when employees are unsettled and
companies are already weakened. During the corona crisis, for
example, new phishing tactics that cybercriminals use to exploit general
uncertainty have been observed again and again. Not least because of this,
you should act early and include the human factor in
your IT security strategy - for example through awareness training. Various compliance frameworks such as ISO 27001 or the GDPR, also require
continuous training of employees in IT security issues - in the case of ISO
27001 also a form of simulated social engineering attacks.
From Pure Phishing Tests to Awareness Building: Tips for A Sustainable Phishing Simulation
Phishing
simulations are proven tools to provide the necessary in these circumstances safety awareness of employees to increase the modern way. If carried out
correctly and systematically, they can sustainably reduce the
click and interaction rates with phishing emails and thus protect
companies from fatal (financial) damage.
However,
there are some stumbling blocks to clear out of the way so that a simulation
can achieve the desired effect. Particularly important: Do not design the
simulation as a pure phishing test that puts employees and their knowledge to
the test and denounces incorrect behavior (see above. "Blaming"). Instead,
you should plan and communicate the simulation from the outset as a learning-oriented awareness measure. The
following methods have Proven Effective:
1. Technical Preparation
Before you start your phishing simulation, it must be prepared
from a technical point of view. For example, you should create a whitelist and make the appropriate settings. Only then will the
simulated phishing emails actually make it into the mailboxes of the
participants. It is worthwhile to consult with the respective provider to clarify all technical details.
2. Announcement
Do you unexpectedly receive a simulated phishing email and fall
for it? This can be frustrating and demotivating for participants at
times. You should therefore announce the phishing simulation to all
employees in advance so that they are
not taken by surprise by the measure.
3. Anonymity
In the Anglo-Saxon world, phishing simulations were often used
as test tools in the past to check which employees did not know how to handle
security risks. In some cases, personal consequences were even drawn. A phishing simulation should not serve to test knowledge,
but to build awareness. Make the phishing
simulation anonymous so that the participants do not feel controlled or even
have to fear personal warnings.
4. Customization
In everyday life, too, more and more carefully personalized
phishing e-mails, so-called spear-phishing
e-mails are sent, which are enriched with the victims'
personal data. With the phishing simulation, you can also have the content adapted to your organization, such as the
approach, the design, or even the content. In this way, the participants
are sensitized to such attacks in a realistic manner.
Protect your privacy from spear-phishing e-mail, install today Protegent Antivirus Software
5. Provision of Learning
Content
Phishing simulations should primarily be a means of learning. Accordingly, you should not just send these out in
isolation, but ensure that they are accompanied by appropriate explanatory content. Only in this way do the
participants know what to look out for in the future after clicking on a
simulated e-mail.
6. Establishment of A Reporting
Chain
Who do I contact if I suspect a phishing attack? Participants
should be able to answer this question at any time. Before starting the
simulation, make sure that the relevant processes have been clarified with all those involved so that they can
react quickly if the worst comes to the worst.
7. Continuity and Randomization
So that you can measure the success of your simulation
accordingly, phishing emails should be sent continuously and randomly. In this way, the participants
are also continuously made aware of IT security
risks and the learning effect is sustained.
8. Feedback to The Recipients
Give regular feedback to the
participants and answer any questions. This emphasizes once again the learning orientation of the simulation and allows employees to share their personal experiences. This also encourages and motivates.
Create Awareness with A learning-oriented Phishing Simulation
In addition to information campaigns about cybersecurity and employee training, for example in the form of digital and interactive learning platforms, phishing simulations are particularly useful for continuous awareness building in companies. Because here employees are made aware of cyber risks directly at the property. You can find detailed information on the best practices presented in the white paper “Best Practices Phishing Simulations”, which deals with the planning and implementation of successful phishing simulations and employee training. In addition to current studies and statistics, SoSafe's empirical values from phishing simulations in companies of various industries and sizes will be consulted in the discussion.






