What To Do When Users Keep Clicking
We recommend training all of your users with our full security awareness training module to give them the skills they need to identify and defend against phishing and social engineering attacks. But what should you do if users still click on your phishing tests after completing the training? Below, we provide a few ideas for handling your "clickers" or your most vulnerable, phish-prone employees. Adapt these ideas for your organization, and feel free to add your own creative ideas in the comments.
- Create an automated remedial training campaign.
Using your KnowBe4 console, you can create an automated training campaign which will serve your repeat offenders with additional security training. Below, we've provided more information and best practices on how to set this up:
- Make it a friendly competition.
While remedial training works well for your phish-prone users to reevaluate their "click-happy" ways, positive reinforcement for those users who do not click can work just as well, and can also encourage users to become interactive or even excited about their security training.
Some organizations will reward users with the least amount of clicks with gift cards or other incentives. Alternatively, departments with the least amount of phishing test failures could be rewarded with a paid lunch, organization outing, or another reward.
- Apply a hard limit to the number of phishing test failures a user can have before they will face an administrative warning (whether through HR or their manager) or increased security restrictions.
As users who fail your phishing tests regularly are putting the organization at risk, applying a hard limit to how many failures they can have could encourage them to take their security training more seriously. Receiving warning notices from their manager or HR will reinforce the importance of keeping alert when it comes to cyber security.
You will also want to consider limiting your phish-prone users' access to certain applications or websites while increasing their security configuration settings and security-related applications if they prove to be a vulnerable employee.