Phishing training requires a holistic approach that is often overlooked by companies racing to "check the box" in terms of offering training on this increasingly important topic. A big mistake would be to treat phishing training the way that companies treat many other kinds of training. We've heard of far too many company training events that involve a manager speaking for 30 minutes, with slides in the background, followed by everyone going back to what they were doing.
If that approach sounds a bit like what your company does for phishing training, please read on -- we've got a lot to share about what a much more effective approach looks like.
1. Interactive, On-Demand Training
There is absolutely no reason to re-invent the wheel by having an employee create slides for phishing training, followed by someone orchestrating dates/times for that person to "present" training, followed by everyone in the company trying to sign into a video conference to listen to training. No one that is being honest considers that the most convenient or effective way to engage the company in a topic that you genuinely need them to know about.
Instead, the way to go in modern times is to have interactive, on-demand training. By that, we mean an engaging training session that has on-screen animations and examples, with mini quiz questions throughout, that requires more than just passive listening. Furthermore, it really needs to be on-demand. There is nothing that causes your team to dislike training more than putting them in a situation where absolutely everyone needs to make sure that they are available at some specified date/time to be on the receiving end of a powerpoint presentation.
2. Phishing Simulations
Phishing is ever-evolving, as hackers become attuned to how to fool us into believing that they are sending messages from websites that we know and trust. One of the best ways to spread awareness about phishing techniques around your company, is to roll out a phishing simulation. What is a phishing simulation?
A phishing simulation is a message that resembles a phishing attack, but is done for training purposes. If an employee is deceived by the email and clicks on it, you should breathe a huge sigh of relief. Why? Because educating your team in a simulated situation instead of a real one, probably just saved you monetary impact or other damages.
The best phishing simulations are tailored to include messages that claim to be from web services that your team actually uses. For example, if your benefits are through Cigna, you'd want a phishing simulation that includes an email claiming to be from Cigna. If (instead) you use an email that claims to be from Blue Cross Blue Shield, your employees aren't really getting the full experience that a phishing simulation should deliver... because you are giving them too generous of a clue that the message is not legitimate.
3. On-the-Job Training
You've heard of on-the-job training, a concept that is as old as some of the earliest automobile manufacturing lines where current employees showed new employees how to complete a particular task -- by having them complete the task.
Phishing training has it's own type of on-the-job training/reinforcement. Specifically, your company should have an email address that employees are encouraged to send suspicious emails to, for a second opinion. If that email address is managed by Havoc Shield's Mail Armor feature -- an automated way to evaluate suspicious emails -- even better:
But whatever the case, encourage your employees to raise their phishing awareness on-the-job by providing a well-known internal email address that employees can forward suspicious emails to, for a second opinion. This type of on-the-job training is perhaps the most powerful element of a modern phishing training approach, because it empowers employees to surface their real-world situations and learn from an expert-level evaluation of whether the email is (or isn't!) safe.