I hear from potential clients all the time how they repeatedly get compromised by phishing-born attacks such as Ransomware. Often, they tell me they follow the age-old adage of telling their staff “Don’t click on links!” or by sending out notifications of current attacks, but they don’t really address the root of the problem – which is, lack of effective education.
So, if telling them “don’t click on links” doesn’t work, what can you do?
Here are a few of the key things you need to do to get users to become part of the solution, rather than part of the problem.
1. Give them a reason to care – Most staff members don’t really care about the organisation they work for. They might be great at their job and take a keen interest in the company affairs – but ask them to do some awareness training in something they have no interest in and you’ll hear crickets.
There are gimmicks that can be used to get short term buy-in for the training program; but if you want a lasting effect, tie the communication back to how this problem affects their families and people they care about. When you give your staff the opportunity to become a protector of something they care about, not just your organisation, engagement becomes voluntary and much more compelling. This is when the real magic happens.
When they are asking to get a copy of the training for their kids, partners, and parents – you know you are on the right path.
2. Treat staff with the respect they deserve – Spend enough time in IT circles and you’ll hear things like “dumb users”, “the users are stupid”, or “you can’t teach them anything”. This elitist thinking is one of the reasons IT departments in many organisations have a poor internal reputation.
It’s time we started looking at staff for who they are: specialists in their fields, which may not be IT. They would likely run rings around you and me in their area of expertise, but they just aren’t technologists. This is where you can fill in those gaps and teach them something new.
Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.
3. Tricking is not training – Nobody likes to be tricked or conned, and your staff are no different.
Old-school phishing assessments can easily get your users offside and make those running the program feel superior because they fooled so many people. What other training techniques can you think of that take this approach and actually work?!
A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take baby steps. You can’t teach advanced math by sending out advanced equations every month or so, you need to start with the basics and build it from there. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.
4. Understand the audience – Users in most organisations are often non-technical people. In some cases, they are put off technical training because the past ‘old-fashioned’, dry, boring, and technical modules have left them feeling down or completely out of their depth.
We need to empathise and understand that each one of your staff members is starting off with a different level of expertise, capability and understanding of phishing and technology. A successful training program will need to cater to this and allow users to advance at their own pace.
5. It’s not an overnight fix – I’m sure by now you are seeing that phishing education is quite a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking.
Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the payout at the end will be worth it.
Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution.