Even at a time when more users are becoming mindful of ransomware attacks, phishing remains a tricky affair.
While current anti-phishing technologies can help prevent or decrease the attacks at the very least, we’re still seeing phishing scams get through security barricades.
What makes phishing attacks tenacious?
The problem with phishing is that it purposely tricks you by exploiting your everyday activities to launch an attack. For example, a salesperson can receive an email with a “signed quote” attachment from a “supposed” partner.
Given that they deal with these types of emails regularly, the salesperson will most likely open the attachment without any second thoughts. This makes users easy targets for phishing scams, especially today when attackers employ more creative and sophisticated methods.
It is therefore important to instill a security-first mindset in your whole organization. But how do you conduct effective phishing campaigns?
Read on as we look back on the effective adoption lessons we’ve gotten from our previous ShiftHappens episodes and how we’ve integrated them into our phishing campaigns.
1. More Than Theory: The Value of Diverse Training Resources
Jennifer Peabody of HAVI believes that:
“[A] key piece was making sure we had a variety of channels for learning and training resources. Everyone learns differently at their own pace and in how they consume resources when they’re trying to learn something new, so we wanted to really make sure we provided a lot of different channels for learning.”
Learning processes are different from one user to another. Be sure to leverage various types of resources for your anti-phishing campaigns.
Microsoft has anti-phishing programs where you can send fake phishing emails to your users to have simulation training. You can also conduct monthly Microsoft Teams webinars to inform your users of new phishing trends.
You can even create interactive games about distinguishing an authentic email from a phishing scam or a legitimate web address from a fake one. Or, make an app that can remind your users to think before they click.
Making it fun would not only keep your users engaged but would also help them retain the information quickly and more effectively.
2. Digest it Better: Keep it Simple and Accessible
As IT and security teams, we often forget that our users aren’t as technical and security-minded as we are.
Jennifer Peabody further mentions:
“My communication style is just very casual. I don’t like to speak in technical terms because […] if I don’t understand it, then chances are, there’s a lot of others that aren’t going to understand it either.”
As you come up with learning resources, ensure that the resources are understandable and relatable.
A too-technical phishing infographic might not be easily understood by your regular users. A phishing training course that’s hard to navigate will not help a user finish the course. An app that’s not accessible will not be used.
Aside from easily accessible resources, another strategy is to build a team of champions who can forward your cause to people who can relate to them better.
A sales manager might convince their teams to be more observant with emails. A marketing director could create a quick comparison infographics between authentic emails and possible phishing scams. Your security team could come up with monthly lunch and learns that’re targeted per department.
By focusing on the right communication and learning resources, your users will feel that their awareness, too, is crucial for your overall security strategy.
3. Practice What You Preach: Policies and Advocacy
Vickie Robinson of Microsoft Airband thinks change can be driven when you understand that the IT team or users alone can’t solve this problem:
“Underneath all of that is really a focus on policy and advocacy. [This] is a systemic problem that’s going to require a systemic solution. If you don’t have policies in place, you’re going to put limitations on what can be done […].”
An environment where your users can see that what they’ve learned is being put into practice by your whole organization will be integral in showing the value of these campaigns.
Put up policies and regulations that will encourage users to adopt security-minded practices after their training or even after the campaigns.
For instance, the last section of your phishing refresher course can direct your users to review their recent emails and delete any suspicious addresses, or look into unusual email attachments and forward them to the security team.
An incident management response is crucial for actual phishing attacks. But you can help your users get used to the process by making it a training course as well. Provide details in ahead of time when a suspected attack has happened and emphasize who your users should reach out to.
User data also needs to be backed up. A backup solution that allows end users to restore their data themselves if they end up deleting authentic emails and attachments will be useful throughout the campaign.
You’ll see the true worth of your phishing campaigns when users not only learn but turn their learning into actual practice.
EduTech: Dynamic and Secure Learning Solution
Learning comes in all forms. So, what’s a more powerful learning solution than a platform that’s flexible enough to offer a modular mix of phishing learning modules depending on your demands?
Still, we’re talking about security here. With AvePoint EduTech—a modern learning solution for both educational institutions and corporate organizations—you can achieve a dynamic learning environment all in one platform, promoting both effective learning and robust security.
While change may not come overnight, slowly moving towards your goal will get you somewhere closer to the security-minded organization you are aiming for, and EduTech can help you get there.