How We Built a Phishing Platform That Is Actually Effective

I’m going to tell you something that you likely already know—running a great phishing simulation program is not often easy[...]
By Mike Polatsek
image September 20, 2018 image 4 MIN READ

I’m going to tell you something that you likely already know—running a great phishing simulation program is not often easy. As CybeReady’s CEO, I’ve taken part in the design, deployment, and management of hundreds of anti-phishing campaigns. We’ve certainly made a few mistakes along the way, and not every simulation has been equally successful.

That said, every campaign I’ve been involved with has taught me and our company a number of valuable lessons that we’ve applied for the benefit of our customers. In other words, there’s always a little ‘good’ to go along with the ‘bad’ and even the downright ‘ugly’ phishing simulations. I’d like to share some of the lessons we’ve learned, and hope that they’ll save you the pain of going through them yourself.

It only seems easy

At some point after rolling out a training program, you start wondering what results you need to obtain from the phishing platform, to prove you’ve run an effective or successful anti-phishing campaign. Most phishing training programs are considered effective if they lower the simulation click rate. But this definition of success speaks more to the complexity of the simulations used at a given period of time than about their actual effectiveness. It also puts some pressure on you, the person running the program, to lower test difficulty to prove its success. But it’s important to remember that while easier simulations may lower the click rate, they rarely improve the ‘phishing IQ’ of your employees.

It’s all in the details

It’s only once you deploy the simulation that you can tell if it’s been effective. Unfortunately, there’s no way to avoid the steep learning curve that everyone managing anti-phishing campaigns must face. There’s an old saying that applies here: “Learn from the mistakes of others. You can never live long enough to make them yourself.”

By learning from phishing simulations gone awry, you can at least smooth out the learning curve. This knowledge can take you one step closer to simply knowing what works best rather than searching in the dark for answers.

It rarely works as advertised

There are countless examples of products that look good on paper, only to disappoint us when we take them out of the box. It’s often true when it comes to anti-phishing solutions that are described in glossy brochures or on websites.

The sad truth is that integrating a solution is rarely as easy as the salesperson selling it said it would be. There is always another thing to do—installing a service or a server, configuring some internal systems, or even just defining a work plan that you can stick to. These may all seem to be minor inconveniences when you’re considering the purchase of a solution. But minor irritations can quickly evolve into major annoyances when you’re actually implementing a new system.

The past informs the present

As I mentioned above, these hard lessons certainly weren’t learned overnight! They were received in the course of running hundreds of anti-phishing campaigns. There’s no denying that we’ve taken a few missteps and wrong detours along the way.

So when we set out to create a learning automation platform that would allow any organization to conduct a successful campaign, we knew that we had to design it with our hard-earned wisdom in mind, and based on the following three values:

Running a successful phishing simulation program may never be a particularly easy task. But armed with the right knowledge—and the right partner—you can substantially lower your learning curve. I hope our hard-earned lessons and experience from past campaigns will help you see more ‘good’ and less ‘ugly’ from your security training efforts.

 

Mike Polatsek is CybeReady CEO and co-founder.

4a34e52d-562b-4e1e-8b71-5c005a7559a9