Sometimes security awareness training is ineffective. Sometimes it’s considered in poor taste.
For example, in a move that was criticized earlier this year, newspaper giant Tribune Publishing sent out a phishing simulation to staff. The “lure” was the promise of a bonus between $5,000 and $10,000. The email instructed employees to log in to “view your end of year bonuses.” And when they did, they received a notification of enrollment in a computer security training program. However, the awareness campaign raised eyebrows because Tribune Publishing had recently laid off and furloughed many employees.
Perry Toone, founder of email service firm TheXYZ, says a similarly disastrous experiment with phishing employees led him to abandon the tactic.
“We created a fake phishing site and encouraged users to click a link in an email,” he says. “When they did, we informed them that they had failed the phony phishing test. It turned out, this was not a good idea. Many people freaked out, thinking they have been hacked. Wouldn’t do it again.”
OK, so these are both examples of awareness training that fell flat. But what’s working these days? The Edge reached out to several security leaders to hear about the new tactics they are employing to evangelize security in their organizations these days.
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio