Phishing simulations do not give users enough context as to why they are running these tests
October 2022 by Duane Nicol, Senior Product Manager Awareness Training, Mimecast
Following the recent news of The UK’s National Cyber Security Centre (NCSC) warning businesses not to become ‘seduced’ by the attractiveness of issuing phishing tests to staff while also publishing new guidance to encourage organisations to work in tandem with others in their supply chains to identify and address security issues, following a marked rise in incidents. Duane Nicol from Mimecast has commented on many important issues, including the importance of keeping users engaging in awareness training.
Duane Nicol, Senior Product Manager Awareness Training, Mimecast explain:
"The NCSC warning of businesses needing to be careful about embracing phishing tests is correct. Tests can be subjective as IT teams running phishing simulations do not give users enough context as to why they are running these tests, failing to show why this training is of value to the business. As a result, users do not know why they are being asked to participate, further disengaging them from the whole process. Disengagement can lead to real life mistakes with real life consequences.
Last year was one of the worst years on record for cybersecurity according to our State of Email Security research. Data breaches through phishing was revealed to be the biggest culprit, with 36% of data breaches due to employee credentials stolen through a phishing attack. 96% of these attacks occur through email, this just reiterates how pivotal it is to keep users engaged in training programmes and create a culture of always reporting suspicious emails.
Holistic awareness training is far more suitable for keeping users engaged as it provides more context as to why employees are having to do this and how it contributes their organisation’s overall cyber resilience. Including it in performance reviews and setting clear expectations from the outset that good cyber hygiene practices are required as part of their job, and not just a compliance exercise, also helps get employees engaged in the program.
This approach is more likely to gain interest and better engagement from users, especially if the training is kept short, regular, and entertaining. With a multi-layered training approach, users are more likely to be engaged in training which would breed a culture of it becoming a norm to report suspicious emails within the workplace and to be more vigilant outside of it too, for example on social media and in their daily lives."