Starting a Phishing Education program can be an unpopular decision inside a company. It’s pretty common to get push back from leaders in the company when they hear the rumblings of fear from employees that are uncertain what the phishing program means for them, their employment, and their value as an employee. Here are a few things that you should communicate with your staff and leadership team to ensure the success of the program and to ease any tensions around the new program:
- This is education, not testing. I’d avoid using the word test in any way. Tests tend to be pass/fail and we don’t want people feeling that they’re failures. Experiential learning requires experience. That’s what this program supplies. We are giving you the opportunity to interact with adversarial emails in a safe environment and then educating you on the tricks the hackers use to lure you in
- No one is out to get you. Snared Security uses real world examples of what our customers receive from malicious attackers. Our goal isn’t to trick you, it’s to simulate real world experiences.
- Phishing is the source of 95% of breaches. This is a real world statistic that shows how serious the problem is. This program is valuable because it reduces the risk that your company will be breached.
- Tactics change daily. Doing phishing training once per year is not enough, because as soon as we train our people to spot an attack, it changes direction. Evolving trends requite evolutionary training. Training monthly is the most effective method for keeping employees up to date.
- You can help others to succeed. We want you to talk about the phishing emails as you see them, and when you’ve spotted one, you SHOULD tell your coworkers about it. You never know when you’ll teach someone a new trick they wouldn’t have learned with out you.
- There’s no shame in falling victim. This program is meant to open dialogue, not to cause you anguish. If you click something you shouldn’t, it’s very important to speak up immediately. You could stop that next breach by saying something.
- If the training isn’t working, let us know. There are four very distinct learning styles. It’s ok to ask for training that matches your learning style.
- Report anything you think is suspicious. The chances are that if you got it, someone else did. And calling that out can alert IT to a problem far earlier than dealing with a cleanup.
It’s always a good use of time to arm your employees with knowledge. Phishing is a problem inside the company and outside the company at home. Giving people the tools they need to avoid work or home distress is critical for maintaining well-being and productivity for your entire workforce.