In the first part of this blog, we looked at how to develop an effective simulated phishing test. Now, we’re covering the five steps to ensure everyone in the organisation absorbs the right lessons from those exercises.

As before, the advice is courtesy of David Prendergast, who has joined the BH Consulting team as a senior consultant. David has a background in delivering security awareness across multiple industries. Last time, he touched on the importance of building trust and avoiding blame when running simulated phishing tests. Now, here are his five tips to create follow-up training that embeds security culture change that’s effective and enduring.

6 Reward good behaviour

Praise the people who contacted the service desk after seeing a suspicious email or flagged it to their security team. “The reward doesn’t have to be anything grand like a €250 voucher. A piece of chocolate is a simple token and may be good enough to encourage the good behaviour you want to see,” says David.

7 Follow up fast

This lesson comes from experience. “Follow the phishing simulation with security awareness training very quickly afterwards. Within hours of sending the simulated phishing email, you should send a message explaining that this was a pre-agreed exercise. Tell users clearly that it is a test to improve awareness, not to catch anyone out. Be very clear that it’s okay to get it wrong and there will be no repercussions or consequences,” says David.

8 Never assume

Don’t make assumptions that people know about the risks. Remember it’s always someone’s first day. And technical knowhow is not the same as security savvy. “I’ve trained some very smart people and you think they know the same stuff you do, but they don’t always pick up on the same vulnerabilities and gaps,” says David.

9 Use an external provider

“Now that I’m a consultant, you might expect me to say that, but here’s why it makes sense. If the simulated phishing email comes from you as the CISO, users will never open a genuine email from you again,” says David.

10 Rinse and repeat

Simply put, this means running awareness on a regular basis – and more than once per year. “I always objected to security ‘programmes’ because by definition, they had an end date. Awareness needs to be continuous and ongoing – quarterly at a minimum,” says David. The size of the organisation doesn’t matter. In larger companies, you can vary the frequency of tests by focusing on one particular department at a time.

The Harvard Business Review argued that businesses should see security awareness training as an investment, not a cost. These tips can help you to ensure the investment keeps delivering value for money in the form of improved security.