How To Handle My Vulnerable Employees
We recommend training your users with our security awareness training modules to give them the skills they need to identify and defend against phishing and social engineering attacks.
However, if you still have users that fail your phishing tests after they have completed training, we have provided a few ways to handle your most phish-prone employees. Feel free to adapt these ideas to better fit your organization.
Create an automated remedial training campaign.
In your KnowBe4 console, you can create an automated training campaign that will assign your repeat clickers additional security training. You can find more information about remedial training campaigns and best practices in the articles linked below:
Make it a friendly competition.
While remedial training works well with having your phish-prone users re-evaluate their "click-happy" ways, positive reinforcement for those users who do not click can work just as well. This encourages users to become interactive and excited about their security training.
For example, some organizations use gift cards and other incentives to reward their users who have the least amount of clicks. Alternatively, departments with the least amount of phishing test failures could be rewarded with a paid lunch or a team outing.
Warn users of administrative or disciplinary action.
Users who fail your phishing tests are putting your organization at risk. Setting a limit on the number of failures users can have before administrative action is taken may encourage users to take their training more seriously. Receiving warning notices from their manager or HR will reinforce the importance of staying alert when it comes to cybersecurity.
Also, consider limiting your phish-prone users' access to certain applications or websites and increasing their security configurations and security-related applications if they continue to prove to be a vulnerable employee.