7
Final Thoughts & Best Practices
There are some best practices which we have picked up over the years that help when embarking
on a security awareness and culture campaign:
1. Do not manage what you cannot measure. Create a baseline view of your current awareness
status by running a proficiency or security culture assessment and track it every 12 months.
This will allow you to showcase improvements. Phish-prone Percentage
TM
(PPP) can help as a
tracking metric, but can be manipulated by changing phish sophistication levels, so this needs
to be reported in context.
2. Involve your executives. Executive involvement goes beyond sponsorship or budget approval
for the campaign. Your executives should be the face of your campaign, people look at what their
leaders are doing.
3. Do not do it alone. Work with your marketing, internal communications, HR and compliance
teams, amongst others, to gain input and approval for your campaign plan.
4.
Combine training with frequent phishing simulations. Doing quarterly phishing is not enough.
Everyone in the company should get a randomly-assigned phish every week (or as often as your
corporate culture will tolerate – at least monthly). This gamifies the experience as every email
needs to be scrutinized. Create targeted or customized phishing emails for your privileged users.
5. Remediation training for frequent clickers. Provide in depth remediation training for frequent
clicker-groups, which gets automatically assigned upon a pre-set number of "clicks." This ensures
training is targeted at people who need it.
Suggested cyber extortion awareness campaign plan
By applying BJ Fogg's behavior design model, considering the top exploit causes as well as the best
practice points listed above, your cyber extortion awareness campaign becomes more targeted and
effective. If you are already a KnowBe4 customer, please speak to your Customer Success Manager
for guidance around relevant training modules.
