Today, many companies do not test, train, or sensitize their employees frequently enough to make the hacker profession attractive.
Performing a campaign once a year or every six months means you are not up to date on the ecosystem, threats, and attack scenarios.
In this article, we will talk about frequency, realism, theoretical content, and andragogy in order to improve the effectiveness of your awareness programs.
I) Frequency: often neglected key factor
Fight against forgetfulness
It is important to schedule phishing tests frequently to fight against the forgetting curve.
Maintaining the level of attention is crucial: your employees must be constantly on guard, even if it means being a little paranoid.
The goal is to have active participation from employees in the fight against phishing, particularly through reporting phishing emails.
Perform phishing tests frequently so that employees constantly question whether the email in front of them corresponds to a phishing email or a fake phishing exercise.
Keep in mind that "practice makes permanent" and not "practice makes perfect". By repeating your exercises regularly, reflexes will develop, but make sure that the reflexes you train are the right ones.
Over time, these reflexes will even apply in situations where psychological levers are used to manipulate your employees.
Add randomness to avoid overspecialization
Doing a campaign every month is good, but if it's every first Monday of the month, your employees will quickly recognize the pattern and your exercises will no longer be effective.
The day, time of sending, and number of campaigns per month are parameters that must vary; otherwise, your employees will be trained to detect your simulations, not phishing emails that do not arrive on a regular schedule.
Alternate: one month, you can train them once, the next month, twice.
To help you choose the best times, we have written an article on the most interesting time slots to use for your phishing simulations.
Avoid overloading to maintain positive engagement
Test frequently, yes, but not the same people. Avoid overloading, even if you have VIP groups that are more important to train.
There is a risk of the opposite effect: employees may become resistant, feel harassed, and lose engagement in the training.
Avoid sensitizing the same people too frequently. A good rhythm is once every two months or even once a week for the most critical users. We have written an article on the subject: How often should phishing simulations be conducted?
II) Realism: training against today's threats
Avoid falling into the trap of low-quality scenarios
Too few campaigns are realistic, which directly impairs the effectiveness of awareness. Realistic scenarios, used by hackers today, are necessary for optimal training.
When faced with a phishing email, psychological levers and social engineering are used to incite and influence our actions.
Once a simulation solution is used, the quality of the proposed situations must be considered.
Indeed, even if low-quality phishing scenarios can be a pedagogical tool, for example, to restore employees' confidence in their detection abilities, it is important to prioritize realistic attack simulations that more accurately reflect the threats that your company may encounter.
Yes, a package blocked at La Poste has little chance of convincing the victim to provide their professional credentials, but can the same be said of an invitation to a Teams meeting containing the names and surnames of all employees in their department?
It is rarely the unsophisticated attacks that succeed, which is why it is important to have realistic phishing scenarios.
Emails with spelling mistakes and surreal motifs, such as an inheritance, are not useful in the fight against phishing, quite the opposite.
These easy-to-detect scams not only allow hackers to find gullible targets, but they also lower the guard of the recipients.
By opening these phishing attempts, the person says to themselves, "It's easy enough to detect phishing, so I will never fall for it."
However, when they receive an elaborate attack, they are not prepared enough and consider the email legitimate because it has almost nothing to do with the phishing emails they are used to receiving.
Size of the workforce: no one attacks an entire company at once
Do not send simulations to your entire workforce all at once, it is still a common mistake in companies. Colleagues talk to each other and end up relying on each other.
However, in a real attack, the hacker will try not to arouse suspicion and will therefore target only a few accounts.
Vary the levels of difficulty to maintain engagement
Finally, you should avoid consecutive scenarios that are too difficult. The goal is not to trap your colleagues, but for them to learn from their mistakes.
Add some pedagogy by focusing on one or two clues until they are well integrated.
Employees should learn to skim links and check a domain name before receiving phishing tests with a higher level of complexity, such as a sender's name matching that of a person in the company.
Constantly presenting scenarios that are too difficult can discourage and make employees feel that they will never be able to detect a phishing email, or it can lead to counterproductive behavior in simulations and make training more difficult.
III) Distributing and engaging with theoretical content
Reduce friction to save time and increase engagement
In terms of cybersecurity, traditional LMSs mainly represent an approach based on compliance rather than practical risk reduction.
Firstly, there is still too much friction; you have to log into an online platform, search for the module to validate, and then go through 45 minutes of SCORM. The process is far too long.
In contrast, you can opt for learning that appears immediately after the compromise. It is directly integrated into the employee's experience and can be adapted to correspond to the error made by the employee in the simulation.
The goal is to reduce the training time while generating more engagement in the learning process. The user perceives the training less as a constraint, gains time for other tasks, and the learning is contextualized and focused on the essentials.
Context & Coherence: employees must be able to relate
The context and coherence of the content must also be improved. They are still too generic and do not always correspond to the employee's job or environment.
An employee in the logistics department who is responsible for a production chain that can be held ransom, receiving content about the dangers of having their Twitter account hacked is completely out of context.
The theoretical content must be consistent with their job, just like the phishing tests.
IV) Andragogy: better adult learning
Andragogy, or adult pedagogy, was popularized by Malcolm Knowles at the end of World War II.
Knowles believes that adult learning differs from that of children in several ways.
Firstly, adults need to understand the purpose of the training and perceive its value to be gained.
For adults, experience is the basis of learning, and an experiential environment is necessary, which is why situational training is important in phishing training.
If they are involved in the setup process, their involvement becomes even more important. You can gamify the training by organizing competitions between departments with rewards for the groups that achieve the best security score.
It is also important that adults perceive the usefulness of the training in their professional and personal lives.
Finally, adults are much more motivated when faced with intrinsic factors rather than external exhortations. The HR department sending reminders to employees to complete their e-learning will have little impact on their motivation to follow the training.
V) Improve the culture to combat phishing "hand in hand"
It is necessary to improve the company's culture regarding digital security. Employees must understand the perceived value of awareness as having significant professional and personal impact.
It is better for the phishing test to be perceived as a game rather than a spying instrument. The perception of the CISO also plays a role in engagement. They must be considered a true ally and resource in the fight against phishing, rather than someone who constantly imposes restrictions.
Collaboration within the company is more than necessary. Otherwise, you will be handicapped against attackers.
VI) Add human touch to improve knowledge transmission
Practicing peer learning is an appropriate solution to improve the company culture.
If it is always the same individuals communicating about cybersecurity, employees can become saturated and eventually ignore the presented issues.
An external person explaining that they have seen serious cases, companies being attacked, ransoms being demanded, or personal lives being completely exposed on the internet due to a lack of awareness is likely to have more impact than a member of the IT department whose message is routine.
You can also call on internal ambassadors, selecting high-performing individuals who are interested in cybersecurity to become internal security reference points.
Their role will be to advise their peers on good or bad practices, explain how they proceed to be among the best elements. Their words will be more easily listened to because these ambassadors are closer to the people you want to raise awareness among.
In conclusion, awareness training needs to be rethought to be effective. A phishing test once a year during cybersecurity month is not enough.
In the cat-and-mouse game, the advantage clearly lies with the attacker.
By varying vectors, formats, and choosing appropriate content, you will significantly increase the impact of your training on your employees.