How We Built a Phishing Platform That Is Actually Effective

I’m going to tell you something that you likely already know—running a great phishing simulation program is not often easy. As CybeReady’s CEO, I’ve taken part in the design, deployment, and management of hundreds of anti-phishing campaigns. We’ve certainly made a few mistakes along the way, and not every simulation has been equally successful.

That said, every campaign I’ve been involved with has taught me and our company a number of valuable lessons that we’ve applied for the benefit of our customers. In other words, there’s always a little ‘good’ to go along with the ‘bad’ and even the downright ‘ugly’ simulations. I’d like to share some of the lessons we’ve learned, and hope that they’ll save you the pain of going through them yourself.

It only seems easy

At some point after rolling out a training program, you start wondering what results you need to obtain to prove you’ve run an effective or successful anti-phishing campaign. Most phishing training programs are considered effective if they lower the simulation click rate. But this definition of success speaks more to the complexity of the simulations used at a given period of time than about their actual effectiveness. It also puts some pressure on you, the person running the program, to lower test difficulty to prove its success. But it’s important to remember that while easier simulations may lower the click rate, they rarely improve the ‘phishing IQ’ of your employees.

It’s all in the details

It’s only once you deploy the simulation that you can tell if it’s been effective. Unfortunately, there’s no way to avoid the steep learning curve that everyone managing anti-phishing campaigns must face. There’s an old saying that applies here: “Learn from the mistakes of others. You can never live long enough to make them yourself.”

By learning from phishing simulations gone awry, you can at least smooth out the learning curve. This knowledge can take you one step closer to simply knowing what works best rather than searching in the dark for answers.

It rarely works as advertised

There are countless examples of products that look good on paper, only to disappoint us when we take them out of the box. It’s often true when it comes to anti-phishing solutions that are described in glossy brochures or on websites.

The sad truth is that integrating a solution is rarely as easy as the salesperson selling it said it would be. There is always another thing to do—installing a service or a server, configuring some internal systems, or even just defining a work plan that you can stick to. These may all seem to be minor inconveniences when you’re considering the purchase of a solution. But minor irritations can quickly evolve into major annoyances when you’re actually implementing a new system.

The past informs the present

As I mentioned above, these hard lessons certainly weren’t learned overnight! They were received in the course of running hundreds of anti-phishing campaigns. There’s no denying that we’ve taken a few missteps and wrong detours along the way.

So when we set out to create a learning automation platform that would allow any organization to conduct a successful campaign, we knew that we had to design it with our hard-earned wisdom in mind, and based on the following three values:

  • Proven effectiveness: If you can’t see what you’re getting from our platform, we can’t say it’s working. To achieve this goal of transparency, we needed to create new metrics that go beyond the click rates that don’t tell the whole story. We accomplished this by first creating a measure of simulation difficulty. This required us to go beyond the limitations of ‘gut feelings’ by utilizing advanced machine learning algorithms to draw meaningful conclusions from the data. We also created some metrics to track data on ‘serial clicking’ and employee resilience. This information allows our customers to have a better idea where they stand in relation to their phishing training goals.
  • Zero effort: Creating a no-effort solution took us away from a focus on providing a laundry list of features and toward a more customer-centric approach where each feature is evaluated based on the effort it requires from a customer. By doing this we were able to create a low-touch, highly effective platform that customers are able to deploy within days—not months.
  • Actionable intelligence: We are true believers in learning from our mistakes and those of others. And our platform allows our customers to do exactly the same. When a customer launches a new anti-phishing campaign, it already incorporates the knowledge gleaned from our past experience and the advanced algorithms that allow a simulation to adapt to a customer’s needs—transforming any campaign into a successful one.

Running a successful phishing simulation program may never be a particularly easy task. But armed with the right knowledge—and the right partner—you can substantially lower your learning curve. I hope our hard-earned lessons and experience from past campaigns will help you see more ‘good’ and less ‘ugly’ from your security training efforts.


Mike Polatsek is CybeReady CEO and co-founder.