Our customers run between 40–80 phishing simulations a year, and yet it only takes them about an hour each quarter. Why? We’ve developed a state-of-the-art learning automation platform that saves time and conserves security teams’ limited resources. But even if you aren’t one of our current customers, we’d like to share some tips on how to efficiently run your phishing campaigns while avoiding some common mistakes that cost time and produce less-than-desirable results.
1. Start simple
Our experience has shown us that security tests that are easy to understand yield better engagement. We suggest keeping these three points in mind when you are designing a simulation:
Easier simulations bring everyone on board. Employees are bound to talk to each other about your campaigns, so if they’re too difficult, the news will get around and bias the results. Knowing this, make it a priority to create simulations that allow employees to experience success. As in life, the occasional failure is okay—but it shouldn’t be the result of simulations that are too difficult to understand.
Set attainable standards. Try to develop simulations that are moderately challenging; if you create a test that is incomprehensible, negativity and self-doubt will set in. It kills employee motivation. They won’t engage—and therefore don’t learn anything from the experience.
Don’t worry if a simulation seems banal to you. Don’t forget that you possess a specialized level of knowledge that is not shared by your company as a whole. It’s okay if a few of your employees find a particular test easy. Your goal in your initial campaigns is to capture high-quality data upon which to build your future phishing simulations, not to capture the outliers in your organization.
As an added bonus, easier simulations are less difficult to create, and therefore require far less of your security teams’ precious time and resources.
2. Reuse and recycle
Let’s face it: it’s unlikely that a phishing simulation will ever be referred to as a work of art. There are limits to the amount of creativity you’ll be able to show in a new campaign. Remember, practicality is more important than originality; the point of a simulation is to foster understanding of the problem at hand.
Unless you’re lucky enough to be the Mozart or Giacometti of the cybersecurity world, you probably aren’t drawing from a limitless well of inspiration. You’ll run out of ideas sooner or later and this will take its toll and consume growing amounts of your time. So set reasonable expectations, and don’t use all of your great concepts in the first or second campaign.
Remember, learning is about practice. To put it in golf terms, it’s all about ‘repeating the stroke.’ So put aside any fears that reusing content will encourage cheating; the nature of cheating still gets employees talking to each other about phishing, which stimulates learning. And this is the entire point of conducting security tests.
That said, be smart and selective about the content you decide to reuse. Use good metrics to drive your decisions. Keep this in mind, and you’ll save time by ‘modularizing’ your content, and make your content management far easier.
3. Drip, don’t flood
Everybody has their limits, including your employees and IT department. It’s important not to oversaturate them with simulations. There are many downsides to doing so. It creates a high load on IT and can stretch their already taxed resources. It also leads to cognitive overload for employees—possibly inducing a state of panic. As mentioned earlier, employees will talk among themselves. And if they collectively feel bombarded by simulations, they’ll develop test anxiety and an accompanying fear of failure.
By deploying simulations at a steady drip rather than a flood, you relieve test anxiety. Instead of reacting to a one-time event (e.g., one day of the month) and then forgetting about it once the initial chaos dies down, a slow and steady pace gets your employees talking about phishing on a more consistent basis, which is crucial for organizational learning. You’ll save time and avoid losing a learning opportunity.
4. Get everyone on board
There’s an understandable temptation to focus a new phishing simulation campaign on specific departments or groups within your company. Sending an IT-related simulation to your IT personnel, or a test in the guise of customer feedback to your marketing team makes sense on paper. Who wouldn’t want to use the most appropriate ‘bait’ for a particular situation?
Unfortunately, this approach has the tendency to create a backlash and may not yield the results your security team is seeking. You’re only getting one small part of the overall picture. It also takes a lot of time to create targeted simulations of this nature without relevant metrics to back up your assertions.
To avoid siloing, it’s essential to keep in mind that your employees are, first and foremost, human beings. Their lives aren’t compartmentalized—they bring a variety of personal and professional concerns with them to work each day. Any of these dimensions can be a phishing target.
That’s why we recommend that the simulations you send at the outset of a campaign be of a more general nature. For example, a test email that mentions changes in your company benefits or vacation policies is bound to generate more interest—and valuable data—than a message that only has relevance for supervisors in a single department. Siloed campaigns not only engage fewer employees but also result in much more work for your security team. Creating and managing custom distribution lists and simulations will quickly drain your team’s resources.
Remember: It will take, on average, 3-4 phishing simulation campaigns to gather and analyze the information you’ll need to identify any patterns that are worth following. Only then will you be able to make informed—and time-efficient—decisions about whether you need to target specific groups with future simulations.
5. Create engaging content
It may seem obvious, but we can’t emphasize it enough—all the planning in the world won’t make your phishing simulation a success if your employees are simply looking past the content. You need them to engage. That means producing security awareness training material that is both dynamic and concise.
Your simulations should be appropriately localized. They should also change with every campaign, as repeating the same message will result in glazed-over expressions rather than actionable intelligence. So make it a point to focus on exactly what your employees need to do.
Here’s a good rule of thumb: make sure your content can be consumed in a minute or less. That’s the window you have to engage your employees before they’ll tune out. So keep your training material short and to the point. Invest in quality rather than quantity right from the start by creating material that is easy to update. You’ll substantially cut down the amount of time and resources you need to devote to content production—now, and in the future.
Prepare to succeed
By using these best practices, you can ensure that your next phishing simulation campaign is a success. You’ll develop helpful metrics, capture meaningful data, and stimulate sustainable organizational learning about the threat that phishing poses. Be sure to read our last post to learn more about mistakes to avoid when running simulations.
