Phishing campaigns are a part of most security awareness programs. While not necessarily required for audits such as SOC 2, phishing simulators are often bundled with security awareness and owned by the same group. This bundling makes sense as phishing prevention is a major goal of security awareness and phishing is a topic of virtually all security awareness training programs.

But, reducing risk is only one reason why companies run phishing campaigns with their employees. As others have pointed out, phishing campaigns provide a nice human risk or human security metric that can be tracked and reported over time. While security awareness training completion rates or test scores are metrics, they are not that valuable as a measure of human risk.

Phishing campaigns can also reduce your cyber liability insurance premiums; maybe this is not the best security reason to do phishing campaigns but this is a reason why some companies choose to run phishing simulations.

Whether you’re buying a phishing simulator from your security awareness training vendor with security awareness training or you’re adding a phishing simulator to your existing security awareness program, what are the best practices for how to integrate phishing campaigns into your overall security awareness training program?

This is something we talk to companies about a lot. Up until recently, Haekka did not have a phishing simulator so Haekka customers that leveraged us for security awareness training, in-app security nudges, risk surveys, and weekly Streams would have to buy a phishing simulator from another vendor. In case you’re curious, KnowBe4 and Proofpoint were the most commonly used phishing simulator vendors by our customers. Haekka now offers a phishing simulator that delivers phishing campaign kudos and teachable moments in Slack. Whether companies use security awareness training and a phishing simulator from the same vendor or not, there are a few best practices we recommend for integrating phishing into your security awareness program.

👁 Transparency

Talk to employees about phishing campaigns before you launch them. Explain the purpose and the mechanics of how campaigns work. Tell employees who the phishing simulation vendor is if you are using a vendor. And give them a clear path to ask questions or voice concerns. The last thing you want to do is surprise employees about phishing campaigns. Telling employees you are going to be running phishing campaigns does not jeopardize the effectiveness of the campaigns.

📢 Proactive Communications

Communication about phishing campaigns is not a one and done thing. You should ideally engage employees about phishing campaigns on a regular basis. One cool idea we’ve seen several companies use is to teach about phishing simulation in their security awareness training content.

🏆 Kudos

All too often, teaching in phishing simulations is only done when somebody fails a phishing simulation (clicks a link, enters credentials, etc.). Instead, why not send a note acknowledging positive security behavior during a phishing simulation? We believe so strongly in this that the Haekka Phishing Simulator does this by default.

👩‍💼 Unified Profile

This last one is the hardest, especially if a company is using separate vendors for phishing simulation and security awareness training. Ideally, employees have a profile where they can quickly get a snapshot of their status in regards to security awareness and phishing campaigns. Having multiple profiles increases the likelihood that employees won’t bother using either profile.

—-

The above are simple steps you can take to create a seamless and frictionless experience for employees that need to do security awareness training and phishing campaigns. If you have feedback or questions about phishing simulators, security awareness training, and how to use both to build an effective security awareness program, please reach out.

‍