1. People Boast about the Tricky Phishing Email They DIDN’T Fall Prey ToGood news! Everyone is on the lookout for phishy emails, even your C-level execs. When people spot a good phishing attempt, they post it up like a notice on a registered sex offender. And the results of your ongoing phishing tests? They’re getting better all the time. We’re having a lot of fun in my own company as we all become connoisseurs of tricky phishing schemes. Just last week, for example, our sales team received a particularly assertive email that used strong language (“Here you go, you f---- thief!”) to claim the recipient was being sued. Two sales reps independently reported the phishing attempt and spread word around the office. And we all talked about why this attempt could work, namely, by shattering people’s sense of decorum and putting them on the defensive. I can hardly express how happy this made me to have people dissecting the ways that cybercriminals attempt to use emotional appeals to break down people’s defenses!
2. Employees are More Aware of Their SurroundingsAwareness means more than watching your inbox, of course. It also manifests itself in the ways people protect your facilities. For example, you may notice that your employees aren’t falling for the clever ways people try to gain unauthorized access to your building. Even that well-dressed pregnant woman with an armful of boxes gets a friendly escort to the front lobby—or back to her car. What do your employees do when they notice that a coworker has left their computer unlocked when away from their desk? In our office, people used to punk those with unlocked computers by sending out an embarrassing (but good-natured) email to the whole company. But we quickly found that a little much. Now, if you come back to your desk and find “It’s Peanut Butter Jelly Time” playing on your computer, you know you’ve slipped.
3. You Hear People Discussing the Training ItselfFor the client I started this article talking about, the simple fact that people discussed his training (and positively) was the obvious sign that cybersecurity mattered. When it comes down to it, people talk to each other about the things that interest them, and the fact that they were talking about cybersecurity instead of the reality show du jour was a great sign. If you’re running a security awareness program well, you’ll set the groundwork for conversations all the time.
4. No More Password Post-itsMany IT staff I’ve known over the years saw password sticky note hunting as a competitive sport. You know what I’m talking about: employees who’ve grown tired of all the passwords they have to create for work and resort to leaving them written around their workspaces. Passwords scrawled on Post-it notes and “hidden” under desks and on the flipside of keyboards are one way to know that cybersecurity best practices are not being followed. A lack of this classic sign of security fatigue, however, is a sign to you that your awareness efforts are doing their job.
5. The Proof is in the NumbersHard data is perhaps one of the easiest ways to see if an awareness program is bearing fruit. For one, keep an eye on incident reports. Is the number of incident reports increasing while the actual incident account is falling? This means the training is reaching your employees. Heightened awareness combines with proactive behavior to nip potential incidents in the bud. If you’re looking for metrics to show that your awareness program is working, this is the “show me the money” metric that proves the culture. There are other metrics to look at, also. You may have knowledge assessment scores that have increased, especially in the high-risk areas you identified in your initial assessment. You may have evidence that your phishing program, which you’ve been running throughout the year, has directed targeted training to those who need it most and that most users have improved phishing detection over time. If you’re running an awareness program and looking for signs that you’re making progress, don’t feel bad if you’re not getting pats on the back because people love your training; the signs may not be that obvious. But do keep your ear to the ground for the subtle signs that a risk-aware culture is growing in your organization. The work you are doing may take a while to pay off, but the effort is well worth it.