Effective Phishing Exercises: How To Plan, Execute And Follow Up
Cybercriminals have many ways to try to trick people into revealing or granting them access to sensitive information, and their methods—and tools—are always evolving. Businesses and organizations of all stripes often turn to phishing exercises to raise awareness among their team members of the prevalence of the problem, teach them to spot and report the warning signs, and help leaders pinpoint and shore up weaknesses in their defenses.
For a phishing exercise to be effective, it must be planned carefully, executed wisely and followed up with thoughtful actions that build on the lessons learned. Here, members of Forbes Technology Council share strategic steps to take both before and after a phishing exercise to ensure it has a positive, strong and long-lasting impact.
Ensure A Low-Risk Reporting Process
"One key step to ensure a phishing exercise is effective and drives change is to make the follow-up reporting process safe and low-risk for employees. By removing the fear or shame of failure, you encourage honest feedback and openness, which creates a culture of learning and accountability. This approach allows employees to focus on improving their security awareness without feeling penalized."
- Christopher Konrad, World Wide Technology