As the security awareness market has grown and matured, phishing simulations, or phishing campaigns, have become joined at the hip to security awareness training. Some companies buy both together as a package from a vendor and others will choose different vendors for each. Some vendors excel at phishing while others focus their product and content efforts on training.

Is it necessary to do both security awareness training and phishing simulations? No, unless your auditors or cyber insurance requires it. The issue we have with phishing simulations is that oftentimes phishing simulations are seen as the continuous form of security awareness training whereas traditional security awareness training is done on a fairly irregular schedule.

While phishing simulations, if done right, have value as a part of a broader security awareness program, continuous forms of security training are more effective at building a security mindset and better security hygiene.

Why run phishing campaigns? 🤔

There are lots of reasons to do phishing simulations - real-world experience for employees, snapshot of risk for management, audits, to lower cyber insurance. Phishing simulations are one part of a well-rounded security awareness or human risk program.

📅 How frequently should you run phishing campaigns?

The biggest limitation of phishing campaigns is that they can’t be done frequently. Most companies get pushback from employees if they do them more frequently than monthly. Many companies will do them every other month or quarterly. And, as the data shows, even monthly training is not effective for retention. When you stretch out to every other month or every quarter, phishing campaigns have limited value as a training tool.

But, a monthly or quarterly phishing campaign is a good way to gauge the risk at your company and to measure the effectiveness of security awareness efforts to inform employee behavior against phishing attacks.

☹️ Phishing simulations do not build a security mindset.

📉 Phishing simulations are a great way to assess the effectiveness of security awareness.

Continuous training is more effective🎖

The goal of a security awareness or security training program should be to 1) make employees more security aware and 2) build a security mindset in employees. Phishing campaigns have a role in this. Haekka recently released a phishing simulator. But, they are one feature of what should be a more all-inclusive approach to security awareness.

In order to build a security mindset, employees need to be engaged more frequently that phishing campaigns allow. And more frequently than most security awareness vendors offer. Security training should be connected to the work of employees. It should be a part of the tools they use. And it should be something employees engage with weekly or even more frequently based on different triggers.

Frequent touchpoints build and sustain the 💪 security muscle in your workforce. This security muscle can then be tested using phishing simulations to gauge how well your security awareness program is working.

‍