Freely subscribe to our NEWSLETTER

"The NCSC warning of businesses needing to be careful about embracing phishing tests is correct. Tests can be subjective as IT teams running phishing simulations do not give users enough context as to why they are running these tests, failing to show why this training is of value to the business. As a result, users do not know why they are being asked to participate, further disengaging them from the whole process. Disengagement can lead to real life mistakes with real life consequences.

Last year was one of the worst years on record for cybersecurity according to our State of Email Security research. Data breaches through phishing was revealed to be the biggest culprit, with 36% of data breaches due to employee credentials stolen through a phishing attack. 96% of these attacks occur through email, this just reiterates how pivotal it is to keep users engaged in training programmes and create a culture of always reporting suspicious emails.

Holistic awareness training is far more suitable for keeping users engaged as it provides more context as to why employees are having to do this and how it contributes their organisation’s overall cyber resilience. Including it in performance reviews and setting clear expectations from the outset that good cyber hygiene practices are required as part of their job, and not just a compliance exercise, also helps get employees engaged in the program.

This approach is more likely to gain interest and better engagement from users, especially if the training is kept short, regular, and entertaining. With a multi-layered training approach, users are more likely to be engaged in training which would breed a culture of it becoming a norm to report suspicious emails within the workplace and to be more vigilant outside of it too, for example on social media and in their daily lives."