Executive Summary
Cyber threats like phishing attempts and social engineering attacks are on the rise globally. Even with sophisticated technical solutions and filters, cyber criminals are finding new and creative ways to slip by protections and utilize social engineering tactics to exploit employees, and the rising costs of cyber attacks means its more important than ever for organizations to avoid a data breach.
Many organizations have a siloed approach to security, which results in a lack of accountability across the organization, and a sense that security is only an IT problem. Keeping the organization secure should be a team effort, so implementing an effective security awareness training program is essential to mitigate the dangers of phishing and safeguard your organization.
There are many different approaches to security training, and a slew of vendors offering a variety of training tools and services. This guide was created to help decision-makers with the process of looking for and selecting a new security training solution.
In this guide, we'll break down exactly wha you need to know when it comes to evaluating phishing awareness training solutions. We'll explain what key features you should consider to protect against cyber risks, what questions to ask vendors, and what results you should expect to see.
Top features in a modern SAT solution
Major factors of differentiation in phishing training, can be linked to the following criteria: user experience, personalization, reporting metrics, behavior change, and automation.
Look for platforms that offer interactive training modules, simulated phishing campaigns, and comprehensive reporting metrics to track progress and measure success.
These criteria can help you assess your options in buying a human-first phishing training that can help you reduce risk in your organization.
Feature #1: User Experience
Employees don't like doing tasks that interrupt their normal workflow for a significant period of time. Training is usually mandatory, but you can incorporate interactive training into an employee's regular workflow without stopping productivity for hours at a time. People have trouble focusing on content that is longer than 5-7 minutes, and you want to be respectful of your employee's time and utilize it efficiently to maximize learning.
Small teachable moments to show learners how to improve in the future based on their past behavior can be an effective method to train and communicate to employees about security awareness topics, whether it be identifying suspicious emails or staying safe on social media.
Tips to improve the employee experience:
- Short training moments
- Encourage user interaction for active learning
- Implement anti-phishing training that can be embedded in an employee's workflow (email client, work phone, laptop, etc.)
- Reward success for positive reinforcement
- Try different approaches
- Monitor user feedback (NPS rating of different vendors and qualitative feedback)
Gamification
Gamification is one example of how you can make anti-phishing education/training personalized and more enjoyable for the user. When assessing different vendors, consider the user experience carefully. Your employees are going to be the ones using the training on a daily basis, and you want it to be relevant, minimally disruptive to their work, and easy to use.
Feature #2: Personalization
If employees don't feel like the training is relevant to them, then they will lose interest fast. This is why you should compare a vendor's level of personalization applied in their phishing awareness training, in terms of employee's cyber knowledge (IQ), role, department, and language of training content.
Not every employee has the same level of cyber knowledge, and everyone has a different background when it comes to cybersecurity. This is why anti-phishing training can't be administered in the same way to everyone.
Personalized learning paths
Personalized learning paths are a factor to consider in your vendor search for an effective solution. If an employee keeps failing simulation exercises, you might need to take a step back and send out easier attacks for the employee to spot. Once the employee sees that he or she can be successful, the employee will become more engaged, and you can start sending attacks that are more difficult. If employees continuously fail, they will feel defeated and lose momentum and interest in the training. Positivity is the key to engaging people and keeping them coming back for more!
Language
Another important level of personalization is the language of the security training content. Make sure to ask prospective vendors whether their phishing awareness training program covers the local languages of your employees. In case the vendor does not provide the language(s) that you need, you should always ask them whether they are planning to add it in the future.
Feature #3: Reporting & Measurement
Many organizations and vendors track the reporting rates of phishing simulations, but this metric needs to be considered carefully. An organization may be using very simple simulated phishing campaigns or very difficult challenges, skewing results to one side of the bell curve or the other. If everyone received the simulation at the same time, it is likely some employees working in an open office setting will also give their coworkers a hint not to click on the fake campaign.
This can lead to a false sense of security if your phishing emails are too easily spotted. Passing a few tests per year does not show your organization is prepared how to respond to sophisticated, modern phishing techniques.
Reporting Rates and Failure Rates
Two of the main KPIs in phishing awareness training are reporting rates and failure rates. When employees are engaged in training, reporting rates of simulation exercises will increase. Most likely the reporting rates of real-world threats will increase as well. This will give security teams increased visibility into the phishing attacks the company is receiving and allow them to react faster.
Failure rates of different vector types can also highlight areas where employees may need additional training in the future, and the progression and decline of failure rates can show the success of training over time.
Feature #4: Behavior change
One of the main pillars of behavior change is reinforcement, and continuous reinforcement and repetition will transform your behavior into a habit. In security awareness training, the behavior change that the employer wants is to teach employees how to react appropriately every time they receive potentially malicious emails or other content. The other objective is for employees to understand why reporting threats is important to the organization.
Positive Reinforcement
Research has proven that workplaces need to consciously overcome a habit of trying to scare people into action and highlight when employees do the right thing or reach their goal with a reward or positive feedback. When employees report simulated phishing attacks correctly, and then they are given positive feedback, they will be more likely to report real actual phishing threats that hit their inbox in the future. This is the whole point of regular phishing awareness training.
Frequent and Continuous Training
Another key component to behavior change is the frequency of training. When choosing a vendor, keep an eye out for the quantity of phishing simulations promised per employee on an annual basis. Continuous, on-going training will keep your employees on their toes, and repetitive actions drive a lasting behavioral change. Together, positive reinforcement and frequent training are key traits that improve employee satisfaction with security awareness training. They also help shift the perception of cybersecurity to a more positive culture of awareness in the organization, that everyone participates in.
Feature #5: Automation
Automation is a key driver in productivity improvements and cost savings, and every security team should consider the impact automation could have on their operations and determine what level of automation is best for them. Different vendors offer different ways of automating various components of their security training program, but the two biggest benefits from automation in phishing training is the automated delivery of personalized, frequent training, and the automation of potential threat identification, classification, and escalation.
More personalized training moments
Many organizations develop phishing campaigns for their employees manually, which can be very costly and time consuming, especially if the security team does research to make sure the their content and simulations are up to date with the latest real-world phishing attacks. Choosing a vendor that regularly updates their content to include the latest types of phishing attacks and themes can be a big timesaver.
Additionally, choosing a vendor that automatically delivers simulated attacks means you'll get to send up to 36-48 personalized emails per employee each year. This level of practice contributes greatly to consistent, effective learning and forming healthy security behaviors.
Remediation time savings
As a security awareness administrator, you want your employees to stay vigilant and report any emails that look suspicious. But when they do, the security operations team is tasked with reviewing and handling those reports. Finding a security training vendor that can automate the tasks of threat identification, classification, and escalation means you can continue encouraging healthy security behaviors without creating more work for your team.
Feature #6: Real-world impact
Cyber risk doesn’t stop at training, so neither can the metrics. The ideal outcome of a phishing attack is a threat report because it removes the danger from the system and accelerates SOC response. Thus, it’s crucial to track how people recognize and report real threats, too.
The Hoxhunt phishing awareness platform allows users to report real threats—and be rewarded for their threat detection–the same way that they're taught to in training. In-the-moment feedback and gamified rewards can be provided to users when they report a real suspicious email, which reinforces threat detection skills and lightens the threat analysis load for security teams, who need only deal with the highest priority threats and incidents.
All modern phishing platforms should be purposefully designed to extend and connect training to measurable real threat detection outcomes, in terms of dwell time, accuracy, and volume.
How to research your vendors
When searching for any security vendor, it is important to do some research, not only on the vendor's website, but also to read up on thoughts from peers and community members.
We suggest looking at trusted review websites, such as G2.com Gartner , which shows unbiased user reviews on satisfaction with different products and software.
Enterprise G2 Grid® for Security Awareness Training Software
Why is an adaptive security training platform better than legacy tools?
Adaptive phishing platforms get much better results because phishing simulations are personalized to every individual and delivered automatically at the right time and frequency.
Hoxhunt leverages AI to automate the entire phishing training lifecycle, so security teams can personalize their cyber security training at scale with fewer resources.
Questions to ask prospective vendors
Before you meet with potential vendors, it’s good to create a list of questions that matter for you. It will help you compare vendors upon the same criteria and have all the answers you need to make a decision. We gathered the most frequently asked questions to help you brainstorm.
User experience
1. How do you encourage employees to participate in the training?
2. How much time does the training take out of an employee’s regular work week?
Personalization
3. What language options do you have for delivering training content and support?
4. What happens when an employee fails a phishing simulation once or multiple times?
5. Does everyone receive the same training at the same time or is training personalized in any way to employees?
6. How often is the training content updated? Is content updated in each language regularly?
Reporting Metrics
7. What type of progression can you expect to see after 1 month of training, 6 months, and 1 year (reporting rates, participation rates, etc.)?
8. What KPIs do you measure? What are the reporting capabilities?
Behavior Change
9. How frequent do you send simulations per year to each employee or how frequent do you recommend (for solutions that offer templates)?
Automation
10. About how many manual hours would be required from our security team to send out a campaign for X number of employees? (100, 10,000 or 20,000)
11. Where does malicious content (email phishing attacks) go once it has been reported by an employee?
Implementation of Training and Technical Capabilities
12. What are the steps of the onboarding process?
13. Do I receive any help with communication before the roll out of the new phishing training?
14. Do you have threat reporting tools?
15. Can the training be integrated with other tools? e.g. Microsoft ATP?
16. Does it work on all devices? Which devices? Which email clients?
17. How does the pricing work? Do you pay for each element of training separately or is it a cost per employee?
