The Value of Simulated Phishing: Guidance For Doing So
By Caroline Gilchrist, writer, Skyward, Inc.
The sun has set on summer. But as an orange autumn moon rises to take its place, the waters of cyberspace only become more congested. Phishing, turns out, is always in season.
Want to give it a try?
I know—you’re one of the good guys, so why would you want to go phishing? The reason is simple: to prevent employees from being hooked down the line. Simulated phishing is a sort of catch-and-release method that can be an extremely valuable asset for IT leaders. Not only do simulated attacks remind employees to be ever vigilant while going through their inboxes, but they also give IT leaders a better idea of whether employees can effectively identify phishing attacks, or if they need additional training.
So, pull on your cap and waders. We’re going phishing!
Before you let your line fly, it’s essential that you fully formulate your plan and discuss it with the leadership at your district. How often will you send out simulated attacks? What program will you use? How will you prepare your employees?
Don’t neglect that last one; making sure employees are up for the challenge is an important part of the process. After all, how can you expect them to identify phishing emails if they don’t know what to look for? Employees can learn to recognize and evade threats through online cybersecurity training programs. (This article gives a nice overview of several programs, including KnowBe4—our favorite.) Some of these programs include simulated phishing as well; no need to phish through a separate organization!
If you haven’t already, set up an easy way for employees to report phishing, ideally both to your email provider and your IT team. If your district’s email platform doesn’t have a simple way to report to the IT team, you can set up an inbox for employees to forward suspicious messages to (for example, firstname.lastname@example.org).
It’s best to keep your plan to simulate phishing under wraps in the beginning. An unannounced baseline test is a helpful way to truly gauge susceptibility to attacks. However, after your first simulation, explain the phishing drill to everyone! Open communication is vital to maintaining trust between leaders and those they lead.