I was at a conference not long ago that focused much of its time on simulated phishing attacks as a way of training. With pride, I heard a vendor say it takes approximately 12 to 18 months using simulated attacks throughout an organization to see a decline in the number of people who fall for phishing attacks. All I could think of was, 12 to 18 MONTHS?! I would NEVER want to leave my organization exposed to that kind of risk when clearly the users did not understand what risky behavior is when it comes to email. I had deja vu from my son's days in middle school. Companies are using simulated attacks (tests and quizzes) as a vehicle to train users or to force them into an on the spot type of training which has proven to be ineffective for various reasons. Much like my son, how can users be expected to change their behavior and learn from their mistakes if their "educators" are not investing in their users and teaching them the concepts they are being tested on?
Don’t get me wrong, simulated phishing attacks are a key component to any cyber security education program -- but they cannot be the only component. They are necessary to baseline your organization, measure the effectiveness of the education you provide to your users, and monitor your organizations’ exposure because of risky behavior. But if you want to change your users’ behavior you must offer them education:
- Teach them what to look for in emails.
- Educate them on the bait and hooks criminals use.
- Use a teaching method that is engaging, relevant, and interesting.
You will not be disappointed. You will see a change in behavior throughout your user base and you will see these changes almost immediately, not in 12 to 18 months.