Were you aware !
i interviewed some industry experts on this topic last year.Here are a few quotes from the episode.
# The 8 steps to building a phishing awareness security program
04: 52 - Study the psychology of an organization
Don’t just measure phishing clicks. Look into what people are more likely to click.*“Behavioral change is really, really hard to measure, but it's the thing that everybody says they want to do. But if you don't take the time to really invest in it, learn about it and make sure that you have someone dedicated to it, it's easy to say, ‘Hey, I got these many people to click.’ But at the end of the day, when it comes down to phishing, if you study an organization from a psychological perspective, you can pretty much figure out what they will click on. For example, I worked for an organization and we looked at the dark data around phishing. I learned very quickly that people cared about their PTO. And people cared about people acknowledging them saying good job. Now, if I pushed out something that didn't relate to any of those things, I was less likely to get people to click. But if I pushed out a phishing email that related to someone's PTO or saying, congratulations, you did such a great job. I want to give you a bonus or something like that. They were more likely to click on it. So with that, it really comes down to knowing your people, knowing the organization that you're phishing’ and knowing that a one size fits all solution does not work.”
19: 47 - Train for more than compliance
Don’t just get people in a room for training once a year. Raise awareness and train so that people change behaviors and become more security-minded all year long.
*“It’s really touching because we were having lunch one day and someone came over and said, ‘Hey, you told me about looking for emails like this and stuff like that. And I ended up getting one at home and I made sure that I remembered what you said about that.’ And think about that. They're not talking about the company they're supporting, they're talking about a behavior that they were doing at home. But if I can get someone to get into the habit of doing something in their personal life, I can definitely get them to do it at work, because it's already ingrained in their behaviors. So I think that that's why behavioral change and awareness is so important. And training, no matter how good it is, we can have ninjas in it and we can have all kinds of stuff in a training. It's not about the training. It's about how I leverage that training to promote awareness throughout the year so that people can remember it. It takes 7-12 times before someone builds a habit, which means that I can't just tell them it once a year.”*
How to Create Security Training That Sticks
33: 09 - Tailor your training expectations with company size
At small companies, it’s easier to get everyone engaged. For larger companies, Zack suggests rewarding employees who catch phishing scams in addition to offering training.*“As a company gets larger and larger, getting 100% engagement is nearly impossible, regardless of how required the training is. And so I think you do have to level-set your expectations in terms of what are appropriate participation rates? How do we measure success? And I think there are some new trends around measuring success, specifically around security culture. And a lot of people have been focused when it comes to simulated phishing.
They've been focused on reporting on how many people took the bait. It’s a very reactive measurement, right? Let's start reporting on how many people have reported the attack. That’s a very proactive measure. It shows what culture is like within the organization, that people have been educated on attacks, educated on how to report them, and let's start gamifying and awarding those people who are reporting legitimate attacks.”*
After all of that camDown helps stop foreign state actors (FSA's) from accessing your webcam!