Mind the Gap in Your Phishing Simulation Data

Written By Randy Bergman

Every organization that sends phishing simulations to its employees is keen to get its click rate down and the reporting number up. But are you minding the gap – the people taking no action at all? This behavior requires its own communications focus to keep the real phish at bay. Before Cybersecurity Month begins, let me offer some free advice!

Here’s a typical scenario when it comes to phishing simulations:

Yay! You’ve reached your goal! Your phishing simulation click rate is within an acceptable range for your organization and your industry. Sure, we all want it to be zero, but you feel pretty good about driving the click rate down!

 The next bit is good too. You’re seeing some upswing in the number of employees who recognize your tests as phishing…and they are smashing that Report Phish button.

 You’ve now got some excellent positive data. Congratulations!

Now let’s see what’s left in that big ol’ gap:

 How many employees left your email unopened? Did they delete it? Did they see it, then ignore it? Did they just leave it in their inbox since it will expire in X days anyway?

 You don’t know what you don’t know. And that is NOT good.

 After all, people who don’t report a phishing test probably won’t report a real phishing email. And that’s where the real problems can start.

 If a real phishing email slips through your email filter and employees don’t report it, you won’t know it’s swimming around in your system, your data is potentially at risk, and you can’t send an alert to warn employees and take other protective actions.

 What can you do?

It’s time to be proactive! Here are some actions to consider to mind the gap…and raise employees’ phishing reporting consciousness even more:

 1.    Be transparent. Show employees the reporting and inaction data.

2.    Explain the gap: what it is and what action (reporting!) is better.

3.    Use an anonymous survey or other means to find out the truth about what employees do if they suspect phishing of any kind. Most will say they’d report it. But you know better. Dig deeper.

4.    Use those findings to communicate more about the gap, specifically why leaving phish unminded is potentially bad for them and the organization.

5.    Repeat, repeat, repeat the importance of reporting any suspicious messages.

6.    Continue educating your employees about suspicious signs in email and texts. And warn them that scammers are now using AI to reduce spelling and grammar mistakes, so it’s even trickier to spot phishing.

7.    Celebrate reporting! Publicly recognize employees who successfully report phishing – your tests and any real ones.

 Nudging that reporting number upwards may take time. But in the long run, through strong communications, your employees will become stronger phish detectors. And you’ll create a healthier, more secure environment where you all can thrive.

 Want some customized help with your security awareness communications? Contact RNB to get started!

Randy Bergman
Previous

Celebrate Workers. They Deserve It!
Next

BELIEVE in the RNB winning playbook for employee communications!