What is a security awareness programme?A security awareness programme is more than security training. It educates employees that data is a valuable corporate asset. A security awareness programme will change employee behaviour and reduce risks.

At least 75% of incidents are human error related - often due to a simple lack of awareness. Successful security awareness programmes are interactive, fun, encourage participation and use a variety of tools such as:

  • Posters
  • Presentations
  • Staff newsletters
  • Contact info to report suspicious activities
  • Quiz/competitions
  • Simulated phishing attacks
  • e-learning
  • Email signature
  • Email/Slack

The programme should continuously evolve to ensure everyone can see how quickly cyber-criminals change their approach.

Measure success

To know how successful your programme is, you need to measure it. Ongoing assessments should form part of the measurement programme and there should be a follow-up process to gather feedback on employees’ experience of the engagement and the improvements that can be made.

Go Phishing

One of the best ways to raise the level of security awareness is to send a phishing email. This recreates exactly what the hackers are trying to achieve. It’s easy to implement, measurable, low cost and quickly identifies vulnerable employees. 90% of victims are captured in the first hour and 30% to 60% will actually click.

But be nice. Your objective isn’t to name and shame people. You simply need people to be more security conscious. Don’t use content that might embarrass people and only give senior manager names of repeat offenders.

How to Phish

  • Use URL shorteners to hide fake domain
  • Ensure email has 2-3 ways to phish
  • Use email marketing software
  • Use pen testing software (ethical hacking)
  • Disguise phish in a popular application

What to do when they click?

Simply send the guilty parties an automated email telling them it was a test and how to avoid it in the future.

24 hours after the campaign conclusion, send employees the report. Explain how to detect the phishing elements of the sent email.

You should also measure how many people reported the attack and set up a process on what to do when people continuously click on your test phishing emails.


Over time, the impact will lessen, but you will need to increase the complexity of your phishing emails.

You may also wish to incorporate a few spot checks and leave reminders for when other security measures have been met or overlooked.

By John Casey of Trilogy Technologies.