Training our colleagues on information security topics is an essential part of every organisation’s data security work. While the GDPR and other cybersecurity frameworks require this kind of training, it also helps establish a strong security culture within your organisation. But deciding what to cover in these training courses and how to arrange the courses in a meaningful way can be a challenge for even the most experienced IT professional. In this blog post, we discuss why phishing and social engineering are topics that are important to cover in training and share recommendations on what you can include in different training courses.
Why cover phishing and social engineering in IT security training?
Our employees are our strongest line of defence when it comes to protecting our companies' data security, but they can also be our biggest weakness due to human error. Since we all spend a lot of time each day checking emails, cybercriminals try to take advantage of gullible employees with malicious emails. Unfortunately, it only takes one employee to fall for a phishing email and compromise the entire organisation's security. Phishing is one of the biggest threats to IT security that companies face today, so it’s vital that all employees know how to recognise a phishing email, what to do when they receive one, and are familiar with different variations of phishing, such as whaling or smishing.
Aside from phishing, it’s essential to teach your employees about social engineering tactics. Social engineering methods are what cybercriminals use to manipulate our behaviour and make us feel like we have to take action, like clicking a phishing email. Teaching your staff about social engineering tactics will prepare them to recognise when social engineering is being used against them.
Some social engineering tactics are more successful than others. In a study using data from our own phishing campaigns, we reveal what kinds of phishing emails trick the most people. For example, when an email looks like it is from someone of authority within the organisation, employees are likely to take action without thinking twice.
Training your employees on these topics is an effective way to raise awareness among your colleagues. Aside from informational training, we also recommend practical exercises such as phishing testing.
Sample course plan
Here, you can see a potential list of courses that will cover the whole topic of phishing and social engineering. Additionally, you can see a brief overview of the content we cover in each course. If you are interested in seeing what other topics our awareness training covers, you can view our entire course catalogue here.
Interested in trying the courses out yourself? We offer a 14-day free trial, so you can get a better idea of what the courses include.
| Course | About | Language | Video |
| Phishing* |
|
EN, DK, DE, SE, NO, NL, PL, ES, FR | Yes |
| How to spot a phishing email |
|
EN, DK | No |
| How to handle a phishing email |
|
EN, DK, DE, SE, NO, NL, PL, ES, FR | Yes |
| Targeted phishing |
|
EN, DK, DE, SE, NO, NL, PL, ES, FR | Yes |
| Hacking on social media |
|
EN, DK, DE, SE, NO, NL, PL, ES, FR | Yes |
| Phone scamming |
|
EN, DK, DE, SE, NO, NL, PL, ES, FR | Yes |
As you can see from the sample courses and content, we typically feature a description of the threat and why it matters in order to encourage healthy scepticism of emails and requests. The goal of the training is for employees to come away with concrete knowledge that they can apply in their daily work.
Practicalities for training
So now that you have an idea of potential topics to cover in your phishing and social engineering training sessions, let’s discuss the fun part – training your team to become your strongest security asset. A lot of work goes into preparing training sessions, so you want to make sure that your colleagues will get the most out of them. That’s why it’s important to consider the appropriate timing and content sequences.
How often should you have trainings?
Based on our experience providing awareness training services, we recommend that your staff receive 1-2 training courses each month. You can maintain continuous awareness by delivering training every month without overwhelming or fatiguing your colleagues with too many courses to complete.
Of course, the number of trainings you provide each month will depend on your staff’s level of existing knowledge and the resources you have available to create and implement training courses. So, you should ultimately do what is best for your organisation and your colleagues.
How do you decide what topics to cover each time?
In our training program, we design our courses to be stand-alone, so that they can be taken in any order regardless of the amount of existing knowledge that an employee has. Creating your training with these kinds of courses can simplify the process of administering training, especially when you onboard new employees. It also gives you the discretion to cover topics in a timely manner. If you do this, it may be helpful to create an introductory course that covers a wide range of topics, with different courses for sub-topics.
Additionally, we recommend that you spread courses with one focus area over time so that the topic remains top-of-mind and your employees don’t get tired of one subject. For example, you could alternate phishing and social engineering courses with courses covering the GDPR or other safe data practices.
We also have a recommended course plan for your whole first year of awareness training, if you want broader topics than "just" phishing and social engineering.
We hope this blog post has been helpful for you! If you have any questions about designing a training program or want to learn more about covering various topics in your own training, you are welcome to reach out to us.
