Methods of conducting training and awareness

As we begin to think about training and awareness, we need to compile the methods we intend on using to conduct outreach:

• Include specific phishing training as part of your yearly information security training:
  • If you don't conduct yearly training, start
• Develop a cycle for communicating with your entire user base through an email newsletter:
  • Develop a plan where a certain number of these newsletters are used to deliver targeted phishing awareness training
• Conduct phishing exercises:
  • Utilize automated tools that allow you to test your user base for their awareness of phishing threats. These tools should allow you to:
    • Import your user population from your user directory instead of manually inputting them into the tool
    • Should allow you to build multiple campaigns so that you can target different user groups at the same time
    • The tools should allow you to track users that get exploited as part of the training so that they can be scheduled for additional training

Users should not be treated negatively if they are determined to need additional training. The process should be positive, and the users should feel that they are learning a new skill instead of feeling that they are being reprimanded.