As security leaders we develop security and awareness training surrounding phishing; however, we are told we can only expect to get down to a 3% click rate. 3% is not low enough and I am looking for ideas on how to drive down the click rate to 1% or less. Has anyone had great success with a technique they have used to drive down the click rate?
Sort By:
Oldest
CISO in Insurance (except health)8 months ago
Thank you
Director of IT in Finance (non-banking)8 months ago
Our click rate runs about 2% normally. We are a small agency with about 250 so just a few who bite can have a big impact on our rate. We test monthly and publish the results across the whole agency and explain what a 2% click rate equates to in number of compromised users/computers and what a bad actor would then have access to. This seems to hit home and helps keep our rate low. CISO in Insurance (except health)8 months ago
Thank you
Senior Information Security Manager in Software8 months ago
Those figures seem to be in line with industry averages.Getting to 1% or less requires massive amounts of training and technology. Also, it would require people to spend a lot more time reviewing each email. If you really want to get <1%, give each person an hour less work daily to deal with the time needed to do that.
CISO in Insurance (except health)8 months ago
Thank you
CISO in Manufacturing8 months ago
We should not be looking at just reducing the click rate beyond a specific %, but to make simulations as good as the real phishing we see out there with increased sophistication, specifically tailored for individuals and coming from trusted accounts that were compromised. AI also makes creating good phishing easier for attackers. So the goal is to create a teachable moment for someone who clicks and provide proper after action (i.e. training, performance objective, etc). Creating specific policies and increasing the consequences after repeated clicks also helps. CISO in Insurance (except health)7 months ago
Thank you
CISO in Telecommunication8 months ago
It's all about raising the awareness. Two things you can do, 1) do a tricky phishing test that drive up the failure rate to 30%, then everyone will understand they are not good enough. 2) Besides focusing on the failure rate, try marking the report rate. Saw a phishing email and reporting raised the awareness to another level.CISO in Insurance (except health)7 months ago
Thank you
While this falls short of our satisfaction, we acknowledge that addressing this is an ongoing effort. Phishing techniques evolve over time, and users are gradually becoming more educated, contributing to the dynamic nature of this challenge and, probably, never reducing the rate to 1% or lower.