We run monthly phishing simulations, but our "click rate" stays high. Employees seem to treat it as a joke or get annoyed. How can we make our security awareness training more engaging and actually reduce the risk of a real credential harvest? Any creative ideas?
3 answers
Do you find that certain departments, like Finance or HR, are more susceptible than others, or is the click rate consistent across the entire organization?
The key is to move away from "punitive" training. If someone clicks, don't just send them a boring 15-minute video. We started a "Security Champions" program where we reward the departments with the highest "report rate" (using the Phish Alert button). We also use "teachable moments"—a pop-up that appears immediately after a click, explaining exactly what red flags they missed in that specific email. This immediate feedback loop is much more effective than a quarterly seminar. Try making the scenarios relevant to their specific job roles to increase realism.
Gamification works wonders. We created a leaderboard for who reports the most "malicious" emails. The winner gets a small gift card or a "Cyber Pro" badge on their Slack profile.
I love the leaderboard idea, Amanda. Positive reinforcement usually sticks much better than the fear of getting in trouble. It turns security into a team sport rather than a chore.
Gregory, our Sales team is actually the worst because they are trained to open every attachment from potential "leads." To address this, we tailored simulations specifically for them involving fake "Invoices" and "RFPs." Once they realized how easy it was to be fooled by a fake lead, they became much more cautious about checking the sender's actual email address before clicking.