You want to teach your users about cybersecurity and phishing, and you want the training to stick. There are many simulated phishing campaigns out there. In fact, you could probably create your own and make it believable—right? 

Not so fast.  

While you might create a phishing campaign with some shock value, it may underwhelm your expectations. Ask yourself: Just how will a negative experience lead employees to change their behavior? Instead, try the human approach. 

Make your simulated phishing campaign a positive employee experience. 

A recent Forrester article, Rotten Phish Spoils Employee Experience, is illustrative:

Some months ago, the renowned Tribune Publishing Company sent simulated phishing emails to its employees, promising bonuses of $5,000 to $10,000 to staff members who had already survived recent layoffs and pay cuts related to the ongoing pandemic.

As part of this phishing campaign, employees were prompted to log in for more details. Upon logging in, they were notified that they had just failed a simulated phishing test. 

It isn't particularly surprising what happened after this campaign.

In a word, employees felt shamed, particularly those who were already struggling. The organization’s brand took a significant hit. Both the internal security team and the external security vendor's reputation were damaged.

So, what's the takeaway?

While many phishing emails employ shame tactics, a reputable organization will prioritize empathy over shock value and find a better way to create security awareness.


Phishing and security awareness resources

Illustration of young man reading a book, next to a bookshelf. BrainStorm, Inc. (Oct. 2021) for "Cybersecurity risk management: a resource roundup" blog

Thankfully, it's possible to shore up security without shaming employees. To get started, check out the following resources.

What a successful simulated phishing program looks like

Because 90% of data breaches result from phishing, running simulated phishing attacks is a no-brainer for any corporate security strategy. But not all faux phishing programs are created equal. 

A good, simulated phishing program will lead to lower click-through rates and higher reporting rates. An outstanding program will do the same things and help users become more security savvy by treating them as partners—not as liabilities. 

Prevent cyber risks with phishing awareness training

Every organization wants to be vigilant about security. But burgeoning data are irresistable to scammers who work relentlessly to breach your digital fortresses. 

What is the top cybersecurity risk? And what can individuals do to prevent a cybersecurity breach? Assess your strategy here. 

Small business phishing test how-tos

If your company doesn’t have the personnel or budget for large-scale phishing tests, what can you do? 

First, try these no-shame phishing test how-tos, designed specifically for small businesses to educate users against cyberthreats. 

What your security awareness training is missing

Effective training is more than telling users what not to do. It’s about helping users develop secure working habits, which helps them boost efficiency and guard against security risks. 

So—if you’re serious about protecting your data, your company, and your people, share these Microsoft 365 best security practices with your users. 

The 6 habits of cyber-safe users

While physical safety precautions are no-brainers, cyber security isn’t always as intuitive as locking your front door. In fact, according to Security Intelligence, human error causes 95% of data breaches. 

However, these 6 habits can help users prevent and reduce security breaches. 

Why everyone hates security awareness training (and how to fix it)

As soon as mandatory security awareness training is announced, the security team can expect some pushback. Nobody likes mandatory trainings, and saying, “come on, just do it” doesn’t help.  

Instead, understand where your users are coming from. How? Reframe your approach to security awareness training and show users that you empathize with them.

The A to Z of security awareness

Use this roundup of terms, tips, and actions to help your organization become more security aware, one end user at a time. 

7 remote security dos and don'ts 

According to CISO Richard Kaufmann, “Bad guys have the easy job. They can be as creative as they want (and) can attack you through any means necessary.”  

Whew. It’s hard to adapt when your security landscape is constantly shifting. Plus, even the best IT department can’t be 100% effective if employees aren’t security savvy. So, what’s the answer? 

Stay one step ahead of the scammers by following these remote security dos and don’ts. 

Outsmarting the scams

Hackers and digital pirates are willing to try every type of scam to get their hands on your organization’s data through your employees. 

Could you and every person in your organization spot a phishing scam? If you think even one employee can improve, download “Outsmart the Scams” as a first step toward keeping your organization safe. 

Scam wise: working safely from home

Fortunately, you don’t have to be an IT whiz to protect yourself, your data, and your company from scams, viruses, and other cybersecurity threats. Often, just paying attention and being aware can help you spot and prevent virtual dangers. 

Download “Scam Wise: Remote Security Dos and Don’ts” to help you shore up your digital defenses. 

The ultimate guide to security awareness training

Security is a high priority for most companies, yet most employees are not confident they could identify a social engineering attack if they saw one. 

Security awareness training provides peace of mind for IT security teams by establishing enforceable security policies, improving employee knowledge of cybersecurity best practices, and increasing customer confidence that their data is secure with you.


Empowering users with Threat Defense

Img 2 - Threat Defense

If you're reading this article, then you clearly care about your organization’s data security. All the above resources will only add to your determined efforts.

Still, even the most helpful resources are no match for users who don’t know how to defend themselves against phishing schemes and cyberattacks. 

BrainStorm Threat Defense is designed to empower every kind of technology user so they can work more securely. No shame, no guilt; just more employees who are armed with the right information and skills.

Want to see Threat Defense for yourself? Check it out here. And stay safe!