Remediating Phishing Failures

March 20, 2023  | By: Stephen Boals

The Low Hanging Fruit of Human Factor Risk Reduction

For most organizations, phishing failure rates flow like the incoming tide. They rise and fall with changes in personnel, new attack methods and the variation of attack complexity. But within that rise and fall of failure rates, there are always those serial clickers, which we call “clicksters”.   These users repeatedly fail, and just can’t resist the click.  Now depending how the organization runs its simulations, this list can be very large or small. But the reality is, most organizations look at under 10% as a victory, and under 5% as excellent, with a large piece of that percentage as repeat offenders.  What if we can guarantee a rate of less than 2%?

The fact that these failures are constantly present, even though seen as a “low” number, pose a significant risk that can be remediated quickly and with minimal effort, in a single pass if the right tool is leveraged.

But most organizations struggle with how to remediate this population, typically doing one or more of the following things:

• Assuming that running them through the same exact training will result in a different outcome
• Resending simulations to give them a second “try”
• Trying to change a behavioral issue with different content (like chopping down a tree with a hammer)
• Having the cybersecurity team “counsel” the perpetrator
• Having untrained managers intervene and counsel

The Evolution of Phishing Awareness Training

The truth is, no level of the content fire hose will result in a long-term adjustment of security behavior when it comes to those that repeatedly click.  We must change focus on teaching them not to know in the moment, but to do in the moment. This requires an emphasis on mindfulness so the employee chooses to do the right thing in the moment.

cyberconIQ takes a patented and focused phishing remediation approach to the tail of the human risk curve, and have built two essential tools to compliment any security awareness training program, and can be the initial brick in your security behavior and culture program foundation.  The goal?  To get to what we call the lowest theoretically possible residual, resistant risk.  Here is a quick overview of each:

phishFixIQ – Phishing Remediation and Training  – Built as an adaptive remediation tool, and based on our patented myQ assessment, this focused training tool knows a user’s vulnerabilities that are tied to their personality and online risk style.  It is focused, and proven effective and “sticky”, providing high remediation rates, even for the most ardent clicksters.  phishFixIQ can be used to augment and improve any current program, and has a large return on investment when it comes to lowering breach probability and cost.

leaderIQ – Executive Leadership Cybersecurity Training is usually a missing piece of any security awareness training program, and required as organizations look to build cybersecurity culture, lower their human centered risk and establish a consequences management and coaching program.  LeaderIQ provides training on risk styles, communication, coaching and the creation and support of a mindful security culture.  It provides the final piece of the puzzle to achieving the lowest risk possible, and providing continuous culture growth for all users.

For more information on improving your existing security awareness programs, lowering your human risk, and creating a cybersecurity cultural framework, contact us today.