Cybercriminals have many ways to try to trick people into revealing or granting them access to sensitive information, and their methods—and tools—are always evolving. Businesses and organizations of all stripes often turn to phishing exercises to raise awareness among their team members of the prevalence of the problem, teach them to spot and report the warning signs, and help leaders pinpoint and shore up weaknesses in their defenses.
For a phishing exercise to be effective, it must be planned carefully, executed wisely and followed up with thoughtful actions that build on the lessons learned. Here, members of Forbes Technology Council share strategic steps to take both before and after a phishing exercise to ensure it has a positive, strong and long-lasting impact.
1. Assess Employees’ Current Knowledge Levels
Before a phishing exercise, conduct a baseline assessment of employees’ current knowledge, using surveys or quizzes to gauge awareness. This data will help you tailor post-exercise training that addresses specific gaps. Personalized feedback based on the results of both the assessment and the phishing test is key to ensuring continuous improvement and building a stronger security culture. – Roman Vinogradov, Improvado
2. Audit Common Recent Threats
Before conducting a phishing exercise, audit the most common threats your organization has been targeted with in the past six months. Use this data to structure targeted training campaigns addressing specific, prevalent risks. This tailored approach ensures your security awareness program tackles the most pressing and relevant issues. – Patrick Harr, SlashNext
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Provide Training Before The Test
One crucial step to ensure the effectiveness of a phishing exercise is to provide comprehensive training before the test. Educate employees on identifying threats, such as suspicious emails, links and devices. After the exercise, follow up with targeted training based on the test results, and collaborate with internal and external security teams to address any vulnerabilities. – Aliasgar Dohadwala, Visiontech Systems International LLC
4. Leverage Relevant, Real-World Examples
Anchor your phishing spoofs in recent, relevant, real-world examples of similar attacks and the subsequent outcomes. Otherwise, your deception becomes the employee’s only frame of reference, and they lose trust. – Barry Cousins, Info-Tech Research Group
5. Start Simple, Then Gradually Escalate The Complexity
It is imperative to execute the phishing exercise systematically, commencing with elementary attempts and gradually escalating the complexity of the phishing endeavors. This method enables employees to cultivate resistance over time and pinpoint specific areas that require fortification. – Cristian Randieri, Intellisystem Technologies
6. Ensure A Low-Risk Reporting Process
One key step to ensure a phishing exercise is effective and drives change is to make the follow-up reporting process safe and low-risk for employees. By removing the fear or shame of failure, you encourage honest feedback and openness, which creates a culture of learning and accountability. This approach allows employees to focus on improving their security awareness without feeling penalized. – Christopher Konrad, World Wide Technology
7. Make It An Educational, Rather Than A ‘Gotcha,’ Exercise
Phishing exercises are a great way to make security training feel “real.” No one thinks they’ll take the bait, and when they do, it’s a wake-up call. Make the event fun, and focus on the education part. This should not be a “gotcha” exercise—smart people can be tricked. People truly start paying attention when they realize that anyone, including themselves, can be fooled. – Ann Westerheim, Ekaru
8. Conduct Debriefing And Targeted Training Afterward
To ensure a phishing exercise is effective, conduct a post-exercise debrief and targeted training. Review the results, identify employees who are vulnerable to phishing and offer tailored education to strengthen awareness. This step helps address security gaps, reinforce safe behavior and foster a proactive cybersecurity culture, ensuring the exercise drives real, lasting improvements. – Muneeb Tabani, SIHA Health and Wellness (Pvt.) Ltd.
9. Give Hands-On Practice On A Variety Of Threats
Practice is crucial! Cybersecurity threats come in many forms, from phishing emails to executive impersonation, and it’s vital that employees recognize them. While formal training is valuable, hands-on practice spotting threats and making quick, informed decisions is what truly leaves a lasting impression. – Matthew Polega, Mark43
10. Provide Individualized Feedback
Giving employees who were duped by a phishing effort individualized feedback is a crucial step after the test. Describe what they didn’t see and how to recognize potential dangers. This phase is critical because it transforms the exam into a teaching tool that helps staff members learn from their errors and raises the company’s general security awareness. – Ashok Manoharan, FocusLabs
11. Pair Education With The Right Defensive Tools
To ensure a phishing exercise is effective, companies should follow up with strategic investments in cybersecurity tools to help block malware directly, such as remote browser isolation. Cybersecurity training alone isn’t enough, as employees can still fall victim to attacks. Pairing education with the right tools creates a holistic strategy for reducing risks and enforcing needed changes. – Prashant Ketkar, Parallels (part of Alludo)
12. Gather Employee Feedback
After the exercise, gather employees’ feedback on their experience and perceptions of the phishing test. This can provide valuable insights and help you identify any communication gaps or areas for improvement. By actively engaging employees in the process, you can foster a guilt-free culture of learning and security awareness. – Thomas Griffin, OptinMonster
13. Integrate Findings Into Your Incident Response Plan
To make a phishing exercise effective, integrate the findings into your incident response plan. Analyze details such as who fell for it and the reactions of the employees—did they report what happened promptly? Use this data to fix gaps in response procedures. By refining your plan based on real behaviors, you strengthen resilience to real attacks and promote proactive security awareness. – Suri Nuthalapati, Cloudera
14. Update Your Onboarding Processes
Leverage the results to update your onboarding processes. Use insights from the test to create more effective security training for new hires. By integrating lessons learned into your onboarding, you ensure that best practices are ingrained from day one, creating a stronger foundation for your company’s overall security culture and reducing vulnerabilities introduced by new team members. – Marc Fischer, Dogtown Media LLC
15. Continue Regular Testing
It is extremely important to conduct phishing tests after training to practice what has been learned and to evaluate how well employees recognize the risks. Tests must be realistic, variable and regular. Constructive feedback after each test is important to encourage learning. The best way to mitigate the threat of phishing is by keeping everyone, including business leaders, alert. – Matthias Pfau, Tuta