You’ve done it: The procurement process is finally over. Your new security awareness vendor sends you a link to your software, and the world is yours. You’re ready to start phishing users, gathering data, assigning training, and using all the amazing features and content you’ve seen from your product demos.
You send out the announcement about your security awareness programme and suddenly your inbox is flooded with emails back from users:
- Who approved this exercise?
- I’m talking to my VP about this!
- Do I really need to do this?
This might be the first of some of the common obstacles we hear from customers to prepare your, but also show the silver linings you can take advantage of for a successful security awareness programme.
Getting User Buy-In for a Programme
A common theme we hear from customers is some users not wanting to be involved in security awareness training. The simulated attacks can make users feel vulnerable, and the training is just another corporate exercise and distraction from work.
Here are some ways to overcome this common obstacle:
- Communicate with user benefit in mind: When you’re drafting user-facing communications be cognisant of the “What’s in it for me?” users will be asking in their head. Bring up real-world examples like identify theft, stolen credit cards, account breaches, and other stories that show how training will help users in their personal life. This will make the programme more relatable and improve participation.
- Balance assessments and training: Simulated phishing assessments are very popular components of programmes, but sometimes they can be overused. Many customers we’ve spoken to have talked about the need to balance assessments, training, and awareness activities. As one customer I spoke to mentioned, “When I only send out phishing simulations, users think we’re trying to trick them.” It’s good to have a balance of both in a programme, as well as awareness and other activities like contests.
- Have a friendly face at company events: Computer-based assessments and training can come off as impersonal. Having a booth at large company events like employee kick-off or setting up learning events and providing resources like tips, swag, or even just coffee can give users a more personal connection. It also provides an invaluable face and name in the process.
Expect Different User Personalities and Have a Plan to Address Them
Two user types we often hear from customers are:
- Repeat offenders: Users who continuously fail assessments like phishing simulations
- Non-participators: Users who refuse to participate in training
If you have tried everything in addressing these two common user types – emails, in-person chats, discussions with managers, or even taking away network access – and you still can’t change behaviour, it is not the end of the road.
One customer we talked to shared an effective strategy for working with these users. Their CISO scheduled 15 minutes personally on these user’s calendars to talk to them about:
- The importance of user behaviour and security awareness
- How the department is trying to help protect the company and users in personal situations
- Asking for the employee to be more vigilant or participate in training to help
This kind of interaction leaves a strong impression by making a personal connection of the importance of good behaviours and stronger participation.
Double-Edged Sword: Users Reporting Phishing Emails
At Proofpoint Protect 2019, Proofpoint’s annual conference, a customer raised his hand after my presentation: “My users don’t report phishing emails to our abuse mailbox. It’s all spam or legitimate messages. Our team can’t keep up. How should we handle this?”
Abuse mailboxes are a great way to reduce risk, however they are notoriously time-consuming to manage. But there are two solutions to this common obstacle.
We regularly see that 6-12 months after a consistent security awareness programme is implemented and users are trained on how to identify phishing emails, the percentage of spam and legitimate reported messages to abuse mailboxes drop. Users become more likely to report true malicious messages and help mitigate user-reported false positives.
The other solution is automated email analysis and response, where reported messages are automatically analysed and enriched using sandboxing and threat intelligence. This reduces IT overhead by automatically removing malicious content from end-user inboxes or closing cases of legitimate or spam messages. The other benefit is users can receive customised feedback based off the message disposition to better understand if what they reported was malicious. This helps educate users while improving security culture by thanking them for reporting true malicious content.
Follow our blog as we provide free guidance on how to build a successful security awareness training. On April 23, Proofpoint held a webinar with SecureWorld: Obstacles and Opportunities You’ll Face with Security Awareness Training. Watch the webinar here.