Introduction
Our mission is to assist your organisation in consistently achieving a 0% level of technology-based security threats caused by end-user’s lack of understanding.
We have created this guide to assist organisations who are still experiencing end-user’s putting their security at risk on a monthly basis, even after our initial compulsory training, random monthly testing and, and in rare cases, our educational refresher training.
This guide will provide you with advice and solutions to enable your organisation to reach a 0% end-user threat level.
Our Goals
Following the education of your end-users, via our training videos and quiz, the monthly phishing stage of our service is the most important in its objective. The key objective of the monthly phishing testing is to ensure end-users stay vigilant for different types, and variations, of phishing e-mails and that they apply their training on a day-to-day basis.
By randomising when each end-user will receive an e-mail, and varying which phishing template is received, we are able to reduce the risk of recipients sharing warnings or having discussions on recent e-mails they have seen. This provides your organisation with an accurate interpretation of each individual’s ability to spot and act upon phishing attacks.
We want you to see 0% of all your end-users clicking on our test phishing e-mails every month. This should remain consistent throughout your subscription to the service.
Our Message
Our materials are of the highest standards and we can provide you with evidence of who is clicking on threats on a monthly basis and what each individual’s current training status is. Our ability to enforce this training across your organisation requires that we work with you by providing recommendations and messaging. We send reminders to end-users who have not completed the training and we do make them aware that they are being tested - even this sometimes requires your assistance to get the click rate down to 0%.
0% is achievable in organisations of all sectors and sizes and is achieved regularly. We want all our clients to experience this success rate.
Advice and Solutions
What can your organisation do to reach the goal of 0%?
The proven solution is to enforce security training across your business and, to also make the position of your organisation clear, in that security is taken seriously.
Providing this message to all end-users will take your organisation a step in the right direction to change end-user behaviour. Ensure that you have communicated that your organisation is raising awareness of threats and that targeted e-mails are being sent to everyone randomly. End-users should be aware that if they do not put their training into practice, they will be asked to take further refresher training. If end-users know that e-mails are being sent which could catch them out, this alone goes a long way to making them more vigilant.
With the reports we send you, we advise that users who are still a security risk (clickers) are spoken to directly or via e-mail by the relevant person within your organisation. Any message sent from you rather than us is always taken more seriously.
You should explain to the end-user:
• what has happened
• what they have to do as a result
• what the consequences are if they continue to provide a threat.
We fully understand that different organisations have different approaches to dealing with this kind of situation. Here are some examples that we have seen customers undertake to achieve a 0% click rate.
Circulate the Reports
A great way to enforce the security message, and the benefits of our training, is to circulate the reports through all line managers. We can assist you with this. This process helps to spread the enforcement workload and line managers can approach this on a more personal level and speak with the individuals causing the risk. We have found that users only need to be spoken to once to make them more aware and stopping them from clicking e-mails in the future.
By updating your user list to include the user’s departmental information, and with your organisation’s agreement, you can then announce the departments that have achieved, or not achieved, 0% that month/quarter.
Forward the Reports to the Directors/Executives/Board
You can also deliver the monthly reports to higher level executives within your organisation to ensure full-backing when enforcing your security message. This support can be essential if you require cross-departmental enforcement of any security measures put in place. We have had feedback from customers who ensured the Senior Management Team were fully aware as their first step and have then made a company-wide announcement. This enables you to enforce the message that monthly tests are active and that users who have clicked must take refresher training. Sometimes a reminder at this stage from a Senior Manager of the business can be all that is required to bring your click rate down to 0%.
Screensavers
Your SATT service includes 6 infographics with a host of useful information covering many aspects of CyberSecurity. Setting these as bi-monthly changing desktop or common area displays screensavers will keep security front of mind for your employees.
Print and Share our Infographics
Supporting text-based training materials for our training can be found here. You can share these infographics internally to all end-users to refresh training awareness mid-way through your subscription by either e-mailing, printing or publishing them on your internal intranet. Reinforcing the training mid-way through the service can be effective for reducing the click rate of monthly phishing e-mails.
Receive Alerts
We can help you set up alerts that will enable you to be notified, in real-time, when someone has put your organisations security at risk. Of course, we will have followed up already to ask them to complete the training.
Change the Remedial Training
Our service includes dozens of individual modules and courses from 5 to 45 minutes. If you would like the remedial training changed to a shorter or longer course, just contact support@cybersecurityawareness.co.uk.
Adjust the Remedial Training Message
The remedial training enrolment message can be changed from a soft approach to a more severe message to your employees who continue to put your organisational security at risk. We can even use a personal message from you or your organisation. For changes just contact support@cybersecurityawareness.co.uk
Name and Shame
Some organisations have provided feedback to us that they have published the names of individuals on their intranet who have consistently clicked on phishing links. Whilst this is an action we cannot endorse; this approach can send a strong message to the individuals who are still putting security at risk. If this is acceptable within your company, this can be very effective for reducing the risk level.
Lockout Policy
You want to convey the message that you take security seriously, so a powerful way of delivering this security posture is by warning users that they will be locked out of their accounts or have restricted access to e-mail and the internet if they do not complete the compulsory or refresher training. Of course, this is reliant on the internal administration overhaul, potential loss of productivity and change to existing company culture, however this has been extremely effective for some of our customers and proven more of a benefit that other dramatic impacts caused by end-user error.
Conclusion
A 0% click rate is achievable in all organisations.
Achieving this objective requires education aided by the message you send to users to change their behaviour when the subject of spotting and acting upon phishing e-mails and other security risks is crucial. The most powerful action is to make sure that users are aware that they are being tested and that there is a consequence in place if they fail. You can use the refresher training as an initial deterrent in this case.
If the right message is sent to new starters at your organisation as part of an on-boarding process, they will be more vigilant against phishing attacks, meaning your company is a lot safer against cyber-crime and your users will benefit by also being better cyber-protected in their personal lives.
We aim to change end-user behaviour by increasing their knowledge through our service, however changes also need to be undertaken in the culture of the organisation towards the end-user threat.
CYBER SECURITY AWARENESS
Market Leading Fully Managed Services
cybersecurityawareness.co.uk
01256 379977
For additional support on your Security Awareness service, visit our help centre or contact support@cybersecurityawareness.co.uk.
Comments
0 comments
Article is closed for comments.