Creating a Culture of Awareness: 12 Key Practices to Follow (and Avoid)

July 13, 2023

Developing an organization that is resilient to ever evolving email threats comes from building a strong and effective security awareness program. But how do you go about this, what does it include, and more importantly, what should you avoid? Below we’ve set out the ultimate guide featuring the top 12 practices to follow and avoid. 

Don’t

Use ‘Click Rate’ as your sole measure

Click rate alone is not an effective measure of the success of an awareness program nor the resilience to a phishing attack. You cannot infer user understanding to a simulation or email threat from “no click”, it simply shows a lack of engagement.  

Rely on outdated threats 

Email threats and tactics are evolving so quickly that even traditional SEG technology alone can’t keep up.  Basing your email security training on known, previous threats won’t enable your team to be resilient against current, active threats. 

Run a corrective program  

Running a corrective program, or a program where incorrect behaviors are punished, may cause side effects such as lack of employee engagement, fear within the workplace, and lack of trust.  Use positive reinforcement to encourage the right engagement and behaviors.  

Treat employees as risks to be mitigated 

Your employees are the front line of defense in your organization. Ensure your program is set up for them to succeed and it’s not just a metric to check off the to-do list. Add in gamification to make it more enjoyable and reward desirable behaviors as it will help increase engagement and advocacy. 

Enroll a subset of employees  

Every person in the organization should be conditioned to identify and stop threats. Leaving out or only including a subset of your organization will not be effective as it only takes one person to potentially jeopardize your organization. 

Expect your Awareness Program to solve all your problems 

The reality is no matter how good your awareness program is there will always be email threats that get overlooked. You still need to arm your organization with the tools to identify those missed threats and quickly neutralize them from across your network.

Do 

Communicate your program clearly 

By clearly communicating what your email security program looks like, what you are doing, why and what you expect, you’ll create a team of security advocates. You should make sure to prioritize new hires and high target members as they will be more vulnerable. 

Develop a culture of Reporting 

Providing employees with the tools to report suspicious emails allows you to not only track the success of your awareness program, but also easily allows them to identify and react to live and incoming threats that haven’t been stopped by technology. 

Rapidly assess and respond to every reporter with a verdict 

Once you have enabled your team with a reporting function you should ensure you review each report and inform them of the outcome. This is an important step that encourages users to report more as they receive feedback regardless of the outcome. 

Train regularly 

Maintaining regular training and simulations will ensure you maintain your team's vigilance but also the healthy behaviors and culture to protect your organization. You should also think about targeting more susceptible users with increased training.  

Try Deploying a Responsive Delivery Tactic 

By setting up your awareness program to send email simulations when a recipient is active in their mailbox, you can increase interaction rates by up to 50%. An employee’s mind is task focused during this moment so what better time to test their responsiveness and ability to spot something suspicious. 

Deliver board-level reporting 

By clearly communicating at board level the success and areas for improvement of your program, you’ll maintain the organizations overall ‘investment’ in its security. It will help to accurately direct resources, budget and improve your overall resilience ongoing.