Phish Threat Training Concept
Phish Threat Training Suggestion To Help IT with End Users
I was responding to another post and had this thought, I wanted to see what others think of it, the goal is to better incorporate the training before the test.
Currently sending an email for training in something you failed at in an email creates to much tension, end users can simply tell their boss they thought it was another test so they ignored the email. Bosses just don't want the breach so they encourage the training but also understand the end users point since they are just being extra cautious which only enforces the bosses concern of not wanting a breach. In the end it creates a back and forth tension between staff and IT who really should be working together to prevent a breach in a more positive way, after all learning is fun right!
However given the way SOPHOS currently works with End Point couldn't this also be tied into the Sophos app running in the task bar on the computer or at least an interface part that would open a web browser and direct the user to the training.
You could have the normal status and events section but also a training section. The training section could display all available training IT wants out there not just the required ones for those who fail a phishing test I mean what if users wanted take to training to be proactive. The current training options are short enough for most to complete in that last five minutes of the day, plus the option to take them on their own time instead of IT's time might make it more easy of a pill for them to swallow.
This also creates a chance to take the training before opening the email or before the test even begins, which would also test the training itself would it not?????
Users could enter their email to keep track of who has taken what but also this could give them a score in terms of points on how much training they have taken and create a little competition in the office, a quick email sent to them after each test showing their new score. Basically take the training and put a positive spin on it by getting the staff more involved in a voluntary basis and have the chance to know what to look for before we try to trick them, this might alleviate a lot of the tension between Phish Threat and office staff and dollar for dollar may get more use for a company.
Just a thought...................
Thanks for the thoughts badrobot - this is great stuff!
Let me see if I can accurately summarize the main points and give you an idea about where we stand with them.
1. Make training reminder/notification emails less sketchy.
- We recently added the ability to customize the sending domain used for sending these emails. So, instead of these emails appearing to come from an unfamiliar domain, they can appear to come from your own domain. This can be turned on and customized in within settings (https://cloud.sophos.com/manage/phish-threat/config/settings/automated-emails).
2. Provide users with access to available training outside of the campaign lifecycle.
- LMS integration is planned for early 2021.
- NOTE: Currently you may create training campaigns which do not require "risky" action on the part of the user for enrollment in training to take place.
3. Gamification of Phish Threat for individual users.
- This is planned for early 2021.
Does that accurately capture your main points? Is there anything I missed?
That is one route I have used as well, but it still would not allow users to be proactive in the training in their own time, nor does it allow them to converse with other workers on a specific training since not all employees will take the training.
We addressed this by setting up a training-only campaign as a launch to the overall program. We used the "Intro to Phishing" video.
It was communicated ahead of time so that people knew to expect the training enrollment email.
This worked for the most part. Some people reported the training email as suspicious, but not many.
We're at almost 80% complete with a week to go in the campaign.