How do you prepare an organization for you to try and trick them? In the second part of this series on simulated phishing, we provide the outline for a communications plan.
When your overall goal has been decided for your simulated phishing exercise, it is time to plan your internal communications strategy. This is useful for ensuring your chosen goal is achieved throughout the organization, and that everyone understands why your phishing simulation is necessary and useful.
Be aware that since people in your organization are all different individuals, their reaction to getting tricked by their own colleagues may vary. By getting your communications right, both ahead of and after the phishing simulation, you retain much greater “control” over their reactions.
Your communications strategy should align with your goal for the exercise. You should also make sure that all relevant target groups are considered.
Therefore, analyze your communications needs, and decide what each message should look like, depending on their timing and target group. Here is an example, defining the who (target group), when and what for each message:
| Who | When | What |
|---|---|---|
| Executive management | Before | Explain why email is a risk to the organization, what simulated phishing is, and what you are looking to achieve (your goal!). If needed to get approval, describe the planned theme of your simulated email, and steps taken to ensure the desired outcome – including your communications plan. |
| Internal helpdesk | Before | Describe the simulated email sample which will be sent out, including sender email, subject and any links/attachments included. Ensure support personnel are provided with a specific response for every user who contacts support in relation to the simulation, and that they are all on board with your overall objective. |
| Employees | Before (possibly) | Unless you have performed such simulations internally before, you should publish a general notice with regards to the upcoming simulation. This is important since nobody is going to be expecting their own colleagues to be trying to trick them without being warned. Include a description of your objective, and focus on the desired/expected behavior, e.g. reporting the phishing email to your helpdesk. |
| Employees | After | Inform your colleagues about the results of the simulation. This could be done a couple of days afterwards, and should summarize the main results. Keep in mind, however, that the number of people who have clicked or been tricked are not necessarily the results you are looking for. Instead, a positive statement about how many people reported the phishing simulation is more likely to promote desired behavior in the future. |
| Internal helpdesk | After | Thank the helpdesk for helping out when they probably received a bit more noise. But also use the opportunity to gather any feedback they have collected from end-users, to include when evaluating the rehearsal afterwards. |
| Executive management | After | If this was the first time a phishing simulation was performed in your organization, there will possibly be interest in an analysis of what the results mean in terms of the organization’s risk exposure. Therefore, prepare your message for any follow-up, including any further steps needed to achieve your overall objective for the rehearsal. |
It may be useful to involve your organization’s communications team when you plan ahead. This is both because they usually excel at making a message understandable for everyone, and because they can simply relieve you of some work related to the exercise.
In some organizations, getting executive management support for the exercise could be crucial to succeed. However, a single management sponsor may be everything you need, and you may not want to give management all the details of what and when to that they are entirely “off the hook”. If management is completely exempted from the exercise, others in the organization may more easily perceive a degree of internal hostility when the results arrive.
See below for examples of what to communicate to both management, employees and internal helpdesk.
Should people know in advance?
To the question on whether you should let your colleagues know about the exercise up front, this may also depend on your goal for the exercise. In general, do not be afraid of “broken” statistics due to giving people a heads up – in the end, these statistics do not really matter.
You should instead take extensive action to avoid people feeling tricked by their own security team, which could lead to a negative experience. On the other hand, you may skip the advance notice when people get used to the idea of receiving simulated phishing, since you do not want people to only be alert when you told them up front.
Finally, internal helpdesk personnel are key to securing a good experience for everyone. These people are the ones most likely to be contacted by users who are not sure what the email is about, wants to report it, or have already been tricked. In all cases, it is good to ensure the quality of how they are followed up on, by preparing a standard response for them, or in collaboration.
Also, this final step ensures that helpdesk personnel do not waste any time analyzing the simulated phishing email and responding to it like any other phishing campaign. Therefore, you should include your contact person here on the exact appearance of the phishing email, so the proper response can be identified efficiently.
And this task brings us to the next step in your simulation, designing the scam itself, which is the topic for our next post in this series.
