Phishing Awareness Training: Best Practices for Your Employees

Phishing attacks are on the rise, according to research for the “2021 State of the Phish” report from Proofpoint. Nearly three-quarters (74%) of organizations experienced a successful phishing attack last year. That’s a year-over-year increase of 14%.1 

Attackers are using relevant themes—like the pandemic and tax season—to prey on human vulnerability. And they’re applying an array of phishing tactics, including credential phish sites, malicious links and attachments, and business email compromise (BEC), to compromise victims. 

There’s no silver bullet to stopping phishing threats. It takes a multi-layered, integrated approach that includes prevention, visibility and response. In this blog, we’ll focus on how an effective phishing awareness training program can empower your people to help protect the organization.

Phishing awareness training: limited time available, so maximize the impact

Figure 1. The annual time budget allocated for security awareness programs tends to be under two hours per user per year (Source: “2021 State of the Phish”)

More than two-thirds of organizations surveyed for the “2021 State of the Phish” report said they have two hours or less per user per year to make an impact on their users’ behavior. And phishing is only one component of a security awareness program, with many compliance regulations, privacy laws and topics like cloud applications and data protection also needing attention. 

Figure 2. More organizations are conducting more frequent and formal security awareness training sessions, with over 80% conducting at least quarterly training (Source: “2021 State of the Phish”)

That’s why making the best use of your limited training time is critical. Our annual “State of the Phish” survey shows that security awareness cadences are increasing each year. That’s good news, as phishing awareness skills tend to fade 4-6 months after education, according to a German study. Ongoing program engagements can help to improve the retention of phishing skills. 

Let’s look at three areas of strategy—the right people, right education and right response—for increasing phishing awareness. With these core pillars driving your program, you can significantly and positively impact your organization’s risk posture.

Finding the right people 

All employees should have ongoing phishing simulations and education to keep their skills sharp. We recommend simulations at least every 4-6 weeks for all users. But sometimes, supplemental phishing education is needed for riskier users. 

CTA: Take a deeper dive into phishing simulations

Traditionally, phishing awareness programs focus on the risk of users who have engaged with phishing simulations. That’s a good start. But when organizations understand data about who is being targeted or engaging with actual attacks, it means they can focus their program on real risk. 

Proofpoint takes a new and fresh approach to security education initiatives by using real data from your email environment through our Targeted Attack Protection Guided Training integration. We employ the data from our advanced email security product to identify the riskiest people—or Very Attacked People (VAPs)—in your organization based on how they’re being targeted, threat actor sophistication, type of attack and overall attack volume. Each person gets a score and an overview of all the threats targeting them. 

Figure 3. Sample data from a VAPs report in the Proofpoint Targeted Attack Protection advanced email security dashboard

If this integration isn’t available to you, work with your email security team to find data about people being attacked or those who have fallen for actual phishing attacks. That way, you can focus your phishing awareness program on the people who need it most.

Providing relevant phishing education with impact

Attackers are constantly using new templates, lures and techniques to try to trick users. You can target users who are very attacked by real phishing attacks with actual templates seen by Proofpoint threat intelligence; that can help increase the relevance of your user assessments and education.

Figure 4. Examples of Proofpoint phishing simulation tool templates

Phishing simulations are primarily assessments—and an indication to users that they’re vulnerable to these attacks. The landing page that prompts users when they engage with simulations usually stays open for no more than a few seconds, however. 

An educational component can help improve retention and teach skills to spot phishing attempts, like double-checking the sender and hovering over and examining links for legitimacy. An example of this type of education is our Attack Spotlight content. We look at real phishing lures affecting organizations and then build a short educational module (about two to three minutes) around a specific threat. 

Figure 5. Example of educational module in Proofpoint Attack Spotlight content

We can also help you maximize your annual security awareness time budget with education that focuses only on those users who fall for a phishing simulation or who have engaged with or been targeted by a real phishing threat.

Make sure the phishing awareness content you use suits your organization’s style, whether it’s more corporate or humorous. And customizing the content, so you can tailor wording and imagery and even add links to policies, will help improve the relevance and impact of your user education.

Finally, if your organization is multinational, be sure to provide localized and translated content for users in different countries. A best practice is to identify a reviewer in each region and have them review the content in advance to make sure the template or education will suit the target audience.

Give users tools to respond to phishing attacks

Avoiding phishing attacks is good, but having users actively reporting phishing attacks is even better. In phishing awareness programs, the “click rate”—or the percentage of users who click/fail a phishing simulation—is a popular reporting metric.

We highly recommend implementing a phishing reporting tool that lets users essentially become a part of the IT security team. Not only do these tools help reduce vulnerability, but they also provide a deeper understanding of user behavior. Accurate reporting of a potential phish means your users not only recognize what to avoid, but they also know what to do when they see a suspicious message.

Figure 6. Examples of high reporting rates and low failure rates

There’s a lot to read about metrics and benchmarks for security awareness training. But a general rule of thumb for high-performing programs is to consistently have less than 5% of users fall for a simulation, but over 70% of users report it with the email reporting tool.

Is your phishing awareness program working?

You’ve followed the best practices, conducted timely simulations, provided education, hosted in-person webinars, sent out emails and even implemented consequences for phishing simulations. But if you’re still struggling to move the needle and reduce user phishing vulnerability, we’re here to help.

With the People Risk Assessment from Proofpoint, you’ll learn:

• Which users have the best and worst security knowledge
• How your organization’s score compares to others in your industry
• Detailed information on your people-centric risk posture broken down by department, region and more

This free assessment can get you on the path to security awareness and phishing awareness success.

Learn more about the People Risk Assessment here.