We recently wrote a blog on the reasons why running simulated phishing campaigns can create a security risk for your organisation.
So in response to that, we thought it would only be fair to follow up with a run through on how to do it properly.
Step 1 - Select a Partner
“Do not try this at home” is the first (and easiest) step. That’s because for starters the time and effort you will put into to getting this working, with domains, web pages, reporting etc. will start you off at a loss. Just choose a partner (and there are some really good free tools) to work with and away you go!
A partner experienced in this area will be able to steer you away from some of the gotchas and make sure that you get the maximum value from the exercise.
Step 2 - Create a Programme
A well structured simulated phishing programme should sit alongside your Security Awareness programme, and tie into and compliance/auditory/regulatory requirements you have.
- Allow you to track improvement
- Present a format which is better for auditory and compliance purposes
- Provide better management data
- Increase user acceptance
- Make your business more secure
Step 3 - Inform your Workforce
This can divide opinion under “best practice” but no matter what objections I hear I always endorse being open and up-front about running simulations with your staff… WHY? Because you need them to buy into your Security Awareness programme!!!
If you do not inform them you run the risk that they will feel like you are trying to catch them out, which is not the objective here. My recommendation would be to put out a notice sponsored by the board highlighting:
- This is what we are doing - Your simulated phishing simulated plan
- This is why we are doing it - To understand if our security awareness plan is working?
- This is how it will benefit the business
- This is how it will benefit you
- This is what the business expects of you
- This is what you should expect of the business
Step 4 - Mix it Up
One of the biggest challenges with simulated phishing is ensuring the validity of results. If one employee spots your simulation and informs others, it could ruin your well-crafted efforts. A couple of ways that you could avoid this would be to:
- Mix up the type of attack you are doing, use different templates and spear phishing approaches
- Target small representative samples of your workforce
- Spread the simulation out with logical time between each
* Remember, this is part of your Security Awareness programme and is an ongoing initiative
Step 5 - Record your Results
This might sound like an obvious one but it’s so crucial it had to go in. Recording of your results will allow you to analyse them over time, understand where your risk areas are and see trends in data. The workforce is a moving target which, makes it hard to quantify so the more information you have the better understanding you will have moving forward.