4 tips for launching a simulated phishing campaign

When it comes to cybersecurity training, enterprise organizations can benefit from real-time simulations that teach employees across departments how best to navigate daily threats, such as email spam and phishing. 

However, initiating a simulated phishing campaign can feel like a daunting task for many security leaders. Launching such a campaign often involves a number of people within the organization touching the process, including the chief information security officer (CISO), compliance manager, the security awareness program trainer, and even the security operations center (SOC).

Although it seems simple enough to include a phishing simulation as part of any security awareness training, setting up these campaigns can often be easier said than done. However, taking a few considerations into the process will make the whole program run smoother:

Considering tools and platforms

The tool that an organization uses to deploy a phishing simulation can either provide peace of mind or prove frustrating and inefficient. I have seen both sides of the coin. I worked for a company who chose to invest in a superior security awareness product, and it was invaluable because it was automated, advanced and could deliver on business goals each step of the way. 

I also worked, very briefly, for a company that wanted champagne results on a beer budget: choosing one of the cheapest options with no back-out clause in the contract. This was problematic because the solution was a manual platform, which meant that it required many extra steps to achieve one simple task. In addition, the tool was not navigationally friendly, the content was mediocre, and more advanced features were missing. 

Security leaders, first and foremost, want to ensure there is a way to streamline and centralize all training to stay organized from a compliance and auditing standpoint. Make sure the organization’s Active Directory can sync up to the platform and continuously update as new hires are onboarded without making the process a manual one. It’s also important to determine whether the potential solution allows the security team to assign dynamic groups so that security awareness managers can create targeted groups to better focus the phishing campaigns.

Shopping done right

The cybersecurity executive in charge of purchasing the solution should be sure to perform due diligence for the administrators and others operating the platform on a daily basis. When sitting down for demos and shopping for features, benefits and pricing, make sure to include those cross-functional staff members and team members that have a stake in the solution. Allow them to test drive and share use cases to ensure it can accomplish the business goals your organization is looking for. This helps to understand the platform’s positives and negatives. 

Call a meeting after the demo to receive everyone’s input. Be sure that the potential solution can help meet the organizational goals of the security awareness campaign. In addition, consider negotiating a back-out clause and have the legal department help sculpt the verbiage. 

Gone phishing

When initiating general or targeted phishing campaigns, always make sure to have metrics to gauge company progress each month or quarter. Since this report will end up going to executive leadership and/or the Board of Directors, make sure to include key performance indicators that go above and beyond the typical total number of clickers and reporters.

Dig deeper to find out how many repeat clickers and repeat reporters the organization has each month or quarter. This might require Excel formulas, since some platforms aren’t savvy enough to calculate this function. This can help from a rewards or coaching standpoint early on. 

For those employees who consistently report phishing to the SOC or security team, create a Phishing Honor Roll and give them kudos or raffle off company swag. Post the results in the company security newsletter or internal communications to garner higher buy-in from other employees. When employees win a raffle for their simulated phishing due diligence, be sure to include their managers or VP on their congratulatory email. Such small details go a long way in creating enterprise-wide buy in.

For those employees who consistently click on the bait, don’t cut off their access or deny them their bonus right away. Think qualitative data. Examine email templates that caused employees to click to better understand the emotional triggers and think about what you can do to change these results in the future. 

After the campaign has officially ended and finished tracking, peruse the templates under the ‘clickers’ to see the trends. Use this as a learning and coaching experience and hold live training seminars for those employees that regularly fall into the phishing trap to provide coaching sessions. This is not intended to punish, but rather educate with compassion. 

Explain social engineering and phishing red flags, share an inspirational quote or locate a humorous phishing video before the security team kicks off any training sessions. Encourage employees to interact and ask thoughtful questions and provide little rewards throughout the hour. Share some of the most popular templates along with unique ones that may not carry links. Again, this type of training can help with future security awareness.

These training seminars (either in-person or virtual) will prove to be priceless because these can easily be transitioned from coaching sessions for repeat clickers to quarterly phishing training for specific departments that have access to highly sensitive data and intellectual property.

Gain buy-in from the C-suite

Influence the cyber tone from the top down. Executive leadership can be a competitive bunch. Gain organizational buy-in by sharing results with company executives and letting them know where particular departments stand in results. 

• Try incorporating some fun ways that will keep department leaders and employees engaged in the program such as: Hold phishing challenges between departments where the department with the most phishing reporters can get rewarded with a gift card or allow them to take a day to volunteer for their favorite charity. 
• Unify the organization by letting everyone know how much of a difference they made in reducing the organization’s risk in each simulated phishing campaign by donating $1 per reporter to the company’s charity of choice. 

By taking these considerations and strategies into consideration before deploying a phishing awareness campaign as part of the organization’s overall cybersecurity strategy, the entire process will go smoother and, ultimately, be more successful.