Most of us, over the past few months, have had to manage a rapid and stressful migration from a largely on-site workforce to a remote, primarily work from home workforce. This came with technical and educational challenges with new requirements and tools to keep our information safe, and to also allow for teaming and collaboration. This created the need to reevaluate our cyber education and awareness tactics, anywhere from topic selection, such as safe collaboration tool use to virtual engagement strategies or overall cyber safety.
With all the flurry, and likely a huge communication push on many diverse themes out to our workforce, has your Phishing Simulation program taken a hit? Has your undesired action rate (clicking on a link, opening an attachment, or providing credentials within a phish) or your “report a phish” rate not changed much or even worse, gone in the wrong direction? Will your ongoing awareness strategies include any on-site activities, and have you had to concentrate your awareness efforts and priorities on topics other than phishing?
If things have (hopefully) settled down somewhat, perhaps it is time to re-baseline your phishing program since most of your workforce is working in an entirely different environment. If you baselined your program before COVID-19 by analyzing your UAR (undesired action rate) and reporting statistics, you can use this to compare to a new baseline with most of your workforce working from home.
The ideal situation would be to select a phishing simulation you have sent in the past, and either send the same simulation to a representative sample or send a similar simulation to past targets. It would be imperative you compare “apples to apples” with the difficulty in recognizing a phish. If the two phishing emails are not similar, your overall metrics will be skewed. In addition, select a simulation unrelated to any current mass communications or a topic that may be sensitive to your workforce. With the challenges we’ve all had to deal with, steer clear of health and employment related topics, or even associated with back to school.
Once complete, if your UAR appears to be trending in the wrong direction, consider increasing your phishing simulation schedule reaching more of your entire workforce, using a JIT (Just In Time) training page as teachable moment. If your UAR has moved in the proper direction, along with your reporting rate, you have some level of confidence your awareness tactics, so far through COVID-19, have made a positive impact. Capitalize on this success, using similar concepts and approaches for future training and awareness strategies.
Now, more than ever, we must get creative and innovative with educating our workforce, our on-site tactics no longer reach large numbers of people. This new baseline will provide insight on where to focus your awareness efforts, if you need to increase the number and intensity of your simulations, and how you workforce comprehends the communications regarding cyber safely and virtual engagements.