As we begin to think about training and awareness, we need to compile the methods we intend on using to conduct outreach:
- Include specific phishing training as part of your yearly information security training:
- If you don't conduct yearly training, start
- Develop a cycle for communicating with your entire user base through an email newsletter:
- Develop a plan where a certain number of these newsletters are used to deliver targeted phishing awareness training
- Conduct phishing exercises:
- Utilize automated tools that allow you to test your user base for their awareness of phishing threats. These tools should allow you to:
- Import your user population from your user directory instead of manually inputting them into the tool
- Should allow you to build multiple campaigns so that you can target different user groups at the same time
- The tools should allow you to track users that get exploited as part of the training so that they can be scheduled for additional training
- Utilize automated tools that allow you to test your user base for their awareness of phishing threats. These tools should allow you to:
Users should not be treated negatively if they are determined to need additional training. The process should be positive, and the users should feel that they are learning a new skill instead of feeling that they are being reprimanded.