Cyber Security

What are the most effective strategies for conducting internal phishing simulations for employees?

AM Asked by Amanda Roberts · 22-09-2023
0 upvotes 8,983 views 0 comments
The question

I’ve been tasked with running our company’s first phishing simulation. I want it to be realistic enough to catch people, but I don’t want to humiliate our staff or lose their trust. What are the best practices for the "Teachable Moment" that happens right after someone clicks a bad link? Should we be using generic templates or something more tailored to our specific industry?

 

3 answers

0
MI
Answered on 24-09-2023

Phishing simulations should always be about education, never about "gotcha" moments. Start with easy, generic templates to establish a baseline. When someone clicks, immediately direct them to a 60-second interactive training video rather than a scary "You Failed" screen. This "just-in-time" learning is statistically proven to be the most effective way to change behavior. Also, make sure to reward the people who use your "Report Phish" button. Publicly praising the people who caught the simulation does more for your security culture than punishing the people who fell for it. 

0
RO
Answered on 26-09-2023

Have you considered how you will handle high-risk repeat offenders who fail multiple simulations over a six-month period without showing any improvement in their behavior? 

TH 27-09-2023

Robert, we handled this by moving repeat offenders into a more intensive, hands-on workshop rather than just more automated emails. We found that some people genuinely don't understand the visual cues of a fake URL. By sitting down with them and showing them how to hover over links and check headers, we reduced our "failure rate" from 25% down to 4% in just one year. It's about finding the right learning style for different employees. Patience pays off much better than disciplinary action in the long run.

0
JE
Answered on 28-09-2023

Try "Spear Phishing" simulations for your finance and executive teams. They are the primary targets for real-world attackers and need more sophisticated training scenarios.

AM 29-09-2023

Excellent point, Jessica. Tailored scenarios for high-value targets are essential since business email compromise usually starts at the executive level.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session