Lately, we’ve worked with an array of organizations who decided to launch phishing programs (they’re great for education, training, and awareness), but quickly realized outside help was needed in order to maximize results. After all, an effective phishing program considers far more than just click ratios. We wrote the book on it, literally! Here are some questions to help guide you on your way to making the right decision for your specific needs.
Q: Will the phishing program be the only job your in-house person has to manage?
Consideration: If you’re planning to run a phishing program in house, you should consider designating a full-time program manager. We’ve seen many organizations initiate programs without allocating proper resources. These programs are not as effective. They often stall or end up starting over again with the proper allocation of resources to receive maximum benefits. Consider this before starting your phishing program to save time, resources, and the frustration of an unsuccessful program.
Q: How much time per month do you want to devote to your phishing program?
Consideration: This question can help you determine whether you need new staff, an outside vendor, or an in-house team to manage the program.
Q: Does your in-house staff or outside vendor have experience in writing, reviewing, and rating phishing emails?
Consideration: Often phishers in the wild will use highly sophisticated, psychology-based attack mechanisms that entice users to click. Does your team have time to conduct due-diligence to write a highly-targeted spear phish for educational purposes? We like to use a little analogy to explain this: train the way you’ll fight because you’ll fight the way you’ve been trained. If you aspire to be a professional boxer, would you want to be trained by an experienced boxing coach, or your next-door neighbor who volunteered to help? Leveraging an individual or team with experience in crafting and rating phishing emails will ensure your employees learn and gradually level up in phishing training initiatives.
Q: Do you have an incident response team in place?
Consideration: Once users have been trained to spot phishing attacks, they will begin to report both real and training phishing emails. If your organization is not equipped with a process or technology to handle the reported incidents, things could be very messy. Every organization needs to implement a process for reporting and handling incidents.
Q: How soon can I expect to see results?
Consideration: The best way to initiate a phishing program is to establish a baseline for your organization’s susceptibility to phishing attacks. While results don’t happen overnight (good things take time), most users experience a gradual decrease in user click ratios and an increase in reporting ratios month-to-month with a program that both phishes and educates users on a continual basis.
If you’d like more information on how to secure your organization with Social-Engineer’s Phishing-as-a-Service (PHaaS) program, Call 800-956-6065 or email: [email protected].
If you’d like a one-pager of this blog for your security team, grab it here.