Training the end user must become as important a priority as maintaining firewall subscriptions and support. It can no longer be an option, nor can assuming everyone knows what they are doing and will only click the right things. Fortunately, there are resources to not only train, but to also test and hold your users accountable for their clicks. Enter KnowBe4.
(Full disclosure: I make no money on recommending products like KnowBe4 and I don’t often do product or service reviews but the concept behind KnowBe4 is what matters to me. We must train the end user: the human firewall. Whether you use KnowBe4 or another service the key is making sure end user training and accountability are a priority in your organization and an investment you are willing to make.)
KnowBe4 allows you to setup training campaigns where phish your own users and then record the results. Phishing campaigns can be customized to best fit your organization. As users fail these tests, they are then asked to watch a video or read a training article. KnowBe4 provides hours of video training and countless courses your users can self-study through. There are even 10-minute sitcom like shows teaching various online security concepts. Here is how I deployed KnowBe4.
First, we did some baseline tests where we would send phishing emails to our users but if they clicked, they would not get anything but a blank web page. This allowed us to discretely set a benchmark for how prone we were to phishing failures. Once we had the baseline, we rolled out our plan. We do 3 phishing tests each week. One is on current events, one is on the latest scams, and one is targeted specifically at social media attacks. Again, you can customize all of this.
When you fail a phishing test, upon clicking the link you are taken to a customized STOP page bearing our logo and explains why you failed the test. The STOP page describes common things to look for in a phishing email. All STOP pages can be fully customized. You can also create pages to look like your Office 365 or other services login page. These pages can record any data entered so you not only know who clicked but what they typed into the bogus forms. But I digress.
