IT Helpdesk Guide to Security Awareness Training and Testing

IT Helpdesk Guide

Article Overview:

The purpose of this article is to provide you and your IT team an understanding of the tests that are due to happen, the reasons for the tests, to provide communication to the end users and answers to questions you may receive.

Introduction

We are running a Security Awareness Training and Testing program to improve staff vigilance against cyber-attacks. The service is broken into three phases:

• Baseline
• Training
• Monthly Phishing

Baseline

We are currently at the Baseline phase. In this phase, we will be testing users with a targeted phishing email. The purpose of the information below is to provide you with quick 'copy and paste' answers for you to respond to any inquiries you may receive regarding the test.

At this stage of the service, it is imperative that you do not inform users that this was a test. We are measuring the current level of staff awareness with a real-life scenario. If word spreads that this was a test, the results we collect may be inaccurate.

 You can also use the same content for phone calls you may receive regarding the test.

TEMPLATE 

For your IT helpdesk to send to users who flag up any of the phishing emails.

______________________________________________________________________

Hi [[First_Name]]

Thank you for contacting the helpdesk with your query. We will take a look into this particular email and get back to you in due course. For now, please ensure that you DO NOT click any links or attachments in this or any follow up emails.

If you have any further questions, please contact us.

Kind Regards

______________________________________________________________________

For your IT helpdesk to speak to users who flag up the email via a phone call.

_________________________________________________________________

Hi [[First_Name]]

Thank you for reporting the email to the helpdesk. In this instance, this was the right thing to do. We will look into the email and get back to you in due course. For now, please ensure that you DO NOT click any links or attachments in this or any follow up emails.

If you have any further questions, please contact us.

_________________________________________________________________

FAQ’s

Here are some frequently asked questions the IT Helpdesk may have or receive during the service.

Q) Why can’t we tell users that this was a test?

A) Through experience, we have found that informing staff that this was a test encourages the word to spread and in turn can spoil our results. We are measuring how staff perform and react to a simulated phishing email. Keeping your responses as realistic as possible will return the best result in our testing.

Q) At what point do users become aware of the service?

A) This can differ in some cases, however most commonly users are notified about the service at the training enrolment stage. This is via email. Users are informed of the general results from the baseline test, what the service is and why they require it. At this stage users are requested to take their training.

Q) What is the training and does it involve a test?

A) The training we provide is predominantly video based. We can provide subtitled versions too. The videos are hosted on a webpage which also features text based content and a short quiz at the end. The answers to the quiz are monitored and can be provided in reports.

Q) I didn’t click on any suspicious email – why do I need this training?

A) The training is not because you did or didn’t click an email, but to ensure all users are trained, aware and vigilant to the same high standards. The training covers a lot more than phishing emails. Even if you know most of what is covered in the training, just a few new areas could prove fundamental to preventing a security incident in the future.

Q) I haven’t got enough time to do this training.

A) The training is very worthwhile and required by the company, you can pause the training and go back to it several times until you’ve completed it.

Q) What if I fail this training?

A) You can’t fail the training videos. The videos teach you what to look out for and over the next 12 months further test emails will be sent.

Q) I’m fully security aware can you please remove me from the future test emails?

A) No, but you can prove you are security aware and not have to do additional training by not clicking on the test emails.

Q) What happens if I click on the future test phishing emails?

A) If you click on future test phishing emails you will be required to take additional training.

Q) Do I need to do this training if I’ve done security training previously?

A) Yes, it is necessary to do this training as new and advanced threats are always evolving and changing.

Q) How do I know which emails are the phishing emails?

A) Due to the new, changing and advanced threats it can be difficult to tell if an email is legitimate or not. The training course will cover all of this and there are additional training courses if you require them.

Q) Why will an attacker target me? I don’t need to do it!

A) For compliance and security purposes we need to ensure all users are trained, aware and vigilant to the same high standards. The training covers a lot more than phishing emails. Anyone can be targeted and the training could prove crucial to stopping an attack, not only through emails, but also on the web, on mobile devices and in person.