Here we are near the end of cyber security awareness month. This year’s campaign topics were led by the number one tool used by bad actors to infiltrate an organization – phishing. Phishing scams have taken on a life of their own. Every day there is a new threat or a new attack on an organization. Social media is becoming more and more the mechanism of choice in vetting potential clients, employees, and vendors leaving the attack landscape open wide.
New Attack Angles
More and more organizations are using social media to help promote their business and share in thought leadership. This is great for brand recognition. At the same time, this opens up another avenue for bad actors to infiltrate organizations to access sensitive data. More and more organizations are employing security awareness training vendors to engage their staff in vigilance.
Phishing simulation programs have become a key tool in many organizations’ awareness training programs. The act of randomly testing individuals to see if they “take the bait” has its merits. However, behavior change should be the ultimate goal of any training program.
Consequences can be severe for organizations. Learners who do not learn from their mistakes can cost an organization, hundreds, thousands, or even millions of dollars. How can organizations help their learners actually learn from their mistakes?
The number one goal for any training strategy should be to effect positive behavior change. Everyone learns at their own pace, and everyone learns differently. Shaming or taking away access rights doesn’t teach the learner how to further identify phishing attacks moving forward. Therefore, learners take the opposite behavior and no longer want to open their email at all.
The best way to reinforce positive security behaviors is to remediate learners in real-time. What does remediation mean when it comes to training? Remediation by definition is the act of correcting an error or stopping something bad from happening. This should be the ultimate goal of any organization-prevention.
How Remediation Training Works
The best way to employ remediation training is to deploy a phishing test using a tool that has a remediation feature. Training managers can enable short training modules to be assigned as a path for remediation based on responses from the learner.
The phish is deployed unbeknownst to the staff. An example of a remediation path would look something like this:
When someone clicks on the phish they are taken to a screen that tells them the following:
- Alerts them that they have been phished
- Explains what they did wrong
- Provides a link to launch the remedial training asset (video, module, course, game)
The learner then completes the remedial training and is further equipped to identify similar phishes in the future. Organizations can improve their email security and limit the exposure of sensitive information by empowering their learners.
We believe in a continuous learning strategy at GLS. Therefore, we would recommend deploying a phishing test with remediation training set up. Then follow up in the next month (or quarter) with another phishing test. Internal communication materials such as best practices, posters, tips, etc. go a long way to keep security awareness top of mind.
Another way to educate your learners is by sharing relevant information on recent phishing attacks. This information will come in handy as your learners manage their email, text messages, calls, etc. on a daily basis.