Phishing campaigns continue to be one of the most successful ways for malicious intruders to access company information, including personal information of employees and customers. Phishing emails continue to get more and more sophisticated and employees continue to fall victim to them, often putting the entire company at risk. Typical successful phishing campaigns end with the access and exfiltration of personal information that requires the company to notify individuals and regulatory authorities; or with the payment of ransomware; or a tremendous effort to activate the back-up system. None of these options are a good one for the company.

Employees continue to be uneducated about the fact that they are being targeted by hackers, and trust emails that are sent to them by familiar people with messages that look like they are real. Only after the fact do they see the clear warning signs that the message is fake.

Educating employees on phishing emails, the warning signs and how to recognize a scam is an important part of a company’s risk management program. Once employees have been educated, the next step is to test their knowledge and response rate. Many companies do not test employees to determine who are the riskiest employees, who learned from the education and which employees are careless. That’s where phishing tests come in.

Testing employees with internal phishing schemes can set the baseline for assessing the risk of an external threat, and can help companies focus on those employees who may need a little extra help. We have heard stories about companies who publicly belittle employees when they fall victim to a phishing email. It might make more sense to help the employee recognize the red flags in a phishing email and make that employee a champion instead of embarrassing him or her.

Once a company gets a baseline on how its employees fare with an internal phishing test, perform the tests periodically to continue to keep employees vigilant and reach out to those who continue to fail, including providing extra education.

Employees want to do the right thing. Monitoring how employees react to an internal phishing test is valuable to test the baseline of their education, but also to continue to monitor progress and manage the risk of an external phishing scheme.