Implementing In 4 Steps:
Step 1: Import Your Users
Import all of your users’ email addresses so we can send them simulated phishing emails and training notifications.
Step 2: Conduct a Baseline Phishing Test
Send out a baseline test to all of your users to find out who is phish-prone.
Step 3: Train Your Users
Enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training course, or a similar comprehensive Security training module.
Conduct randomized phishing tests along with remedial training campaigns to help strengthen your human firewall.
We’ve broken these steps down into specifics below:
Step 1: Importing Your Users:
Preliminary steps before importing:
- Gather a list of all user email addresses you wish to import. We don't recommend importing “catch-all” email addresses or distribution lists that go to more than one recipient. (For example, “firstname.lastname@example.org”)
- Identify any groups you may wish to create. Groups can be used for targeted phishing and training campaigns.
- Decide if you wish to import any other user information other than email address. The fields you can import are as follows: First Name, Last Name, Phone Number, Mobile, Extension, Group, Location, Division, Manager Name, Manager Email, Job Title, Employee Number, Password, AD Managed. Many of these fields can be used to customize phishing templates.
3 options for importing users:
- Active Directory Integration (ADI): This method is strongly recommended if you're using Active Directory to maintain your users.
- Quick Import: Useful for importing fewer than 100 users.
- CSV Import: Useful for importing a larger quantity of users or including other data such as name, phone number, and more.
Useful documents related to importing users:
- Full User Manual for Users and Groups
- ADI Product Manual
- How to get emails out of Active Directory (for CSV import)
- List of Placeholders (for use in phishing templates/training notifications)
- Managing Multiple Email Domains
Step 2: Baseline Phishing Test
Preliminary test campaign:
We recommend that you run at least one phishing campaign that is limited in scope to only one or two administrative users who can confirm receipt and tracking of clicks on phishing links. This should be done before the baseline test and will confirm that our phishing emails are getting through any spam/firewall protection. This campaign can be deleted once the testing is successful.
Establishing a Baseline.
The first thing you should do after your preliminary test campaign is successful is to conduct a baseline phishing test. Here are the recommended parameters for a baseline test:
Recommended settings for initial baseline phishing test:
Name: Baseline Test
Deliver To: All Users
Frequency: One time
Start time: Select the day/time (Monday or Tuesday is recommended, and a time when users are active and checking emails is best)
Sending: Send all emails when the campaign starts
Track Activity: At least 3 days after sending is complete
Templates: IT ---> Change of Password Required Immediately
Difficulty Rating/Phish Link Domain: Leave as-is.
Landing Page: If you'd like, you can choose a different landing page here, such as the 404 page, blank page, or a custom landing page that you've created. See our article about selecting landing pages.
Add Clickers To: Select a group if this feature is being used. If you are unsure, leave this blank.
Send email report: Checked. The email report will be sent to all admins when the duration of the campaign is met.
Useful documents related to phishing:
Step 3: Training
For your initial Security Awareness training campaign, we recommend that you enroll ALL of your users in the 45-minute Kevin Mitnick Security Awareness Training or a similarly-comprehensive course.
Recommended settings for an initial training campaign for all staff:
Name: Security Awareness Training for All Users
Start Campaign At: Set as applicable
End Campaign At: Select a Relative Duration of 3 weeks
Courses: Kevin Mitnick Security Awareness Training - 45 Min
Enroll Groups: Select All Users (Check box to auto-enroll new users)
- Add a welcome email to users which will contain the link for your users to confirm their account and log in for training.
- Add additional reminder X days after enrollment and X days before the due date to remind users to complete their training on the specified schedule.
This will create a training campaign for all of your users, and as you add new users to the console in the future they will be automatically enrolled and receive a welcome email. Each user will have three weeks from the time of enrollment to complete the training. You can manually initiate notifications emails from within the console if users are taking too long to complete the training.
Useful Documents related to Training:
- Creating and Managing Training Campaigns
- Setting Up Remedial Training Campaigns
- Video: How to Set Up Training Campaigns
- Video: How to Monitor Training Campaigns
Step 4: Ongoing Phishing & Training
Ongoing phishing and training are KEY components to help manage the problem of phishing and social engineering. The following is an outline of ongoing actions we recommend you take:
Ongoing phishing campaign recommendations:
- At a minimum, send a monthly phishing test to all users.
- Include multiple email categories and types (Attachment tests, phishing, spear-phishing, reply-to).
- Spread emails out over a longer duration, such as one week, so users will not know when they are going to be phished.
- Add clickers to a remedial group (For example, you can call the group “Clickers” or “Phish-Prone users”) and assign this group additional training.
Ongoing training recommendations:
- Create a remedial training campaign. On your Remedial Training Campaign settings, you can choose to remove users from the Clickers group once they complete training, and enable them to take the training multiple times.
- Train specific groups as needed on various specialty courses (Handling Sensitive Information, Mobile Device Security).
- Send out monthly “Security Hints and Tips” emails from the phishing templates area to all users.
- Set up a weekly "Scam of the Week" newsletter to keep your users aware and ready to defend against the latest phishing and social engineering scams.