How do you know if your Cybersecurity Awareness Training is Working?

You likely know that cybercriminals top attack for the past several years continues to be launched through phishing email.  You also have likely invested in cybersecurity awareness training for your staff.  You may also know that many of the technical protections you have in place can be defeated by an unsuspecting employee clicking a link or attachment and possibly infecting your entire network and compromising your valuable data.  These are scary times and it has become increasingly difficult to combat phishing with technical controls.  Cybersecurity awareness training for staff at the front lines of this battle is a key to defending your network and data.  But how do you know that the staff is learning how to detect and avoid a phishing email?

Keeping Your Employees Alert

If you are like most businesses, you have an annual training and hope for the best.  However, you could be doing more to test your employees and keep them alert to phishing throughout the year.  Phish testing has become increasingly popular to refresh your annual training on a periodic basis throughout the year.  Many of the tools and solutions you use already may have the capability to perform phish testing.  Also, phish testing has become easier to set-up and even automate so the time to set-up and administer phishing tests has been dramatically reduced.  We all know that “pop quizzes” can be very effective in verifying learning and that is no different with phishing.  Also, most of the phish testing solutions have re-training built-in so if an employee clicks on a link or opens an attachment, they can be immediately directed to re-training.

Most phish testing solutions can be set-up to be very targeted in that the phish content, timing and recipients can all be highly configured.  This allows you to set-up scheduled and targeted phishing tests that even run at different times which allows a truer test since not everyone will receive the same phish test at the same time and tip off other staff.  Also, many phish testing solutions have a built-in difficulty level, so you can send more challenging phish tests to your technical staff.  Most phish testing solutions also include management reporting that indicates how many employees fail the test to really provide an indication of the effectiveness of your cybersecurity awareness training.


If you decide to pursue phish testing, there are a few recommendations before you get started.

  1. The first is that your awareness training should be completed so everyone has had a chance to be trained on recognizing and avoiding a phish.
  2. Next, you should always be up front with your employees and let them know you will be conducting random phish testing. You would not announce the date, simply that it is your policy to do this testing.
  3. Also, you might consider “gamifying” the testing by having some type of reward for the department who does the best in avoiding being phished during the testing (food or gift cards work well and are easy to do).
  4. Finally, you don’t want to overdo it, so testing is recommended no more frequently than once each quarter.

Phish testing can be an effective way to measure the success of your cybersecurity awareness training.  Phish recognition by your end users will stop the top threat of becoming a victim of cyberattacks.  If you need more information, Integrity IT has solutions and experience in performing Phish testing for your business.  Contact us today for a free demo.

Request FREE Phish Testing Demo


About the Author

The Author has not yet added any info about himself