Education or Entrapment? Phishing Your Own Employees

Posted by Michael Barrett—Senior Consultant 


Organizations wouldn’t think twice about training their employees about the company’s acceptable use policy, code of conduct, or rules against sexual harassment, but when it comes to social engineering some organizations do think twice.  Common concerns are:

  1. Entrapment: Employees feel like they are being tricked when they are tested with simulated phishing emails.
  2. Unfair: People can feel like the company knows too much about them or their organization to be unbiased
    when it comes to selecting test groups or pretexts.
  3. Waste of Time: Some believe that they are not susceptible to these types of attacks, and, therefore, their time is being wasted.

In order for a security awareness program to be successful, and I mean really successful, senior management has to support the program. Without senior management support goals cannot be met, resources will not be allocated, and complaints from employees and managers will undermine the program.

If senior management is expressing these concerns, how can you gain their acceptance for a security awareness program?

  1. Share the Plan: If employees are proactively involved in the process, educated about the importance, and empowered to make a difference, security awareness can be a frontline star instead of a disliked pseudo-police force.
  2. Perform an “Informed” Test: Announce, “This Friday you will receive a phishing email.” Using this technique will disarm people as they won’t be surprised when the phish shows up in their inbox.
  3. Promote Participation: Make the informed test into a contest and offer a series of prizes that can be won by those reporting the email. This will make the exercise more exciting, as well as promoting your incident response procedure.

Getting everyone involved in the process and being upfront about the goal and objectives can go a long way towards creating a successful program and creating a positive outlook from management. Educating users with the tools and techniques to identify scams not only makes for a safer company, but safer employees, who will be able to use their improved awareness not just in their work life, but their personal life as well.


Related posts