Every organisation fosters a unique environment – the differences can be large and many.
Some have a strong culture of continuous learning, others not so much.
That being said, regardless of the structure and culture of your organisation, when it comes to phishing awareness initiatives there are key players that need to be included in your conversations to make sure you are successful in creating a security awareness culture.
In most mid-to-large organisations, the four key stakeholders that you will need to support your initiatives are:
A sure way to get on the bad side of these influential stakeholders is to loop them in at the last possible minute with something along the lines of “Oh, FYI – we’re starting a phishing awareness campaign next Monday. Thought you’d like to know!”
This is a sure-fire way to get them offside and have them push back against the initiative.
Bringing these influential parties into the conversation early and often, and arming yourself with the information they require, will help you nullify any objections.
Security awareness and, in particular phishing awareness, is so important in the modern workplace that we need to give it every chance to succeed. So how can you get these different groups across the line? After running phishing awareness campaigns for over 150,000 people covering almost every demographic, I have pulled together my personal cheat-sheet on tackling the hard questions with these key influencers.
Upper Management is by nature extremely interested in metrics, especially when it covers organisational risk and improvement over time. It is this combination of staff enrichment with hard evidence where we can appeal to Upper Management’s business goals.
We often hear that phishing is now among the top three risks discussed at a Board level, so having key on-going metrics that you can present to senior decision makers can be a door-opener to getting your project on the agenda.
When dealing with Upper Management, we recommend finding a balance between the data (such as phishing assessment results, click-through rates and training completion rates) and staff aspects. That is, while the data can spell out the situation in black and white, don’t underestimate the value senior decision makers place on a program that supports staff along the way with engaging content and a nurturing training environment.
The internal L&D team should have a better understanding of your staff learning culture than anyone else. As the L&D team are usually concerned with the training material itself, be prepared to answer questions like:
In most cases, L&D teams don’t typically have concerns over phishing simulation and assessment activities, but they are more concerned with the structure and quality of the training components.
The last thing you want to do is give the impression that you’re trying to go over the L&D team’s head. So, to bring this team along the journey, give them access to the training material as soon as possible, and provide an opportunity for them to take some ownership of the program. Blindsiding them and bringing them into the conversation late is a certain recipe for disaster.
In many cases, IT Security teams approach phishing assessments in a certain way; that is, create a super hard phishing email and send it to as many people as possible with a goal to trick and deceive large swathes of the audience.
Fortunately, this old method is having less appeal to many stakeholders. As training and technology has improved, we have a better (and more effective) way of doing phishing assessments and awareness training using smart automation simulations that adapt to the user’s level of understanding.
IT Security teams are notoriously short of time and short-staffed, which is why you can score some easy wins by appealing to their desire to hit objectives using smart automation without compromising their outputs. From a ROI perspective, phishing campaigns are not often the best use of the IT Security’s time – this is where automation comes in. When you discuss your phishing campaign, you have the perfect opportunity to show how it’s possible to have the best of both worlds – effective phishing education and automation all at once.
Another way to win over these key decision makers is to offer access to this automation system – so that if they have a great phishing email they want to add to the campaigns, they can. Similarly, explain that if they are having a busy few months and have no time, the system should continue to run without their input. Giving IT Security the power to influence while still doing right by your staff is a great win/win.
HR acts as the advocate and conduit for your workforce, and as such, they are typically concerned with how users are going to be treated and how they will be made to feel during engagements. It shouldn’t come as a surprise; security teams have a history of performing phishing assessments that are far from respectful to the end user. In many cases, staff are often left feeling tricked, confused, and outright unhappy with the whole experience.
The biggest concern I see from HR is around transparency. HR often insists on telling users in advance about training and workplace changes. However, for phishing campaigns, telling staff upfront defeats the purpose of doing a phishing baseline – resulting in a warped gauge of the environmental risk and creating misleading data.
But there is an opportunity for a compromise.
If HR’s main concern is that staff are not being given a chance to be educated and warned before being tested by a simulated phishing email, there is a way to resolve this pain point. First, you can ease concerns by making sure that your simulated phishing emails look no different to the authentic phishing emails staff may receive any other day of the year – so be sure to make your simulations realistically undetectable. Second, make sure that your risk assessment baseline emails are anonymised and communicate that to HR. By removing the connections between the simulated phishing emails and your organisation, as well as anonymising the results, you can alleviate HR’s concerns and ensure users don’t feel tricked.
And lastly, but most importantly – The Staff
While your staff don’t need to be consulted upfront, in many ways your staff are the most important to win over. When it’s time to let them know about the initiative (typically just before the training starts), it’s important to frame the conversation or notification in a certain way to get maximum participation and personal buy-in.
Sadly, we often see this approach used in staff training: “Company X dictates that everyone must do this mandatory training by 12pm tomorrow!”. While it is a slight exaggeration, it probably captures the sentiment best. Nobody likes being told what to do, especially when they have no interest in it.
A better approach is to show the user how phishing has become such a huge issue. Not just for them, but for their kids, their parents, and their spouses. People are far less concerned about your organisation than they are about themselves and their family.
If you can show them how they can be the protector of their own domain with training that’s practical and interesting, you’ll see a new level of engagement and better results.
Don’t forget that many staff members have a fear of technical training. This fear, justified or not, needs to be addressed upfront. So, let users know that the training with be a fun and engaging experience, and make sure your training keeps the information at an appropriate and relaxed level.
Phishing awareness training is one of the most important areas of IT security in organisations today. By having a strategy, you can get the organisation moving together in a frictionless way. With a little extra thought, you’ll improve your risk profile and your staff will actually thank you for it – not to mention proving to stakeholders that your training is a complete success.
Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our training.