Should You Tell Your Organisation Before Starting Phishing Training?

We recommend telling your organisation about the phishing training before sending any simulations. In this article, we'll tell you why and give you templates for communication.

How you communicate about the phishing testing sets the tone for the rest of the training program. You only have one chance to get it right the first time and give your organisation a positive impression of the training.

To help you communicate about the training within your organisation, we made an email template you can customize and send out.

Download the template here in Danish and English.

Our recommendation - transparent communication

We recommend that you are upfront with your employees. Tell them you will be running phishing simulations and you will have access to the results. It's important to also tell them why you're doing the training.

By doing this, you can both increase awareness of the phishing threat and convey that the training is intended to make your entire organisation more resilient - not single out employees who fall for the tests.

While you might be interested in "catching your employees by surprise," we believe this creates resistance to the training and can alienate employees. 

That being said, the decision is up to you. Later on in this article, we'll give you some things to consider when deciding whether to tell your employees ahead of time.  

Why we recommend communicating about the training

Communicating about the training openly from the very beginning sets it off to a good start, where employees feel respected and comfortable with the training. And that's really important, because you need your organisation to stick together in the fight against phishing. It's a team effort, and you have to be a trusted part of that team.

If you don't communicate about the phishing simulations at the start, you run the risk of making your employees feel the simlation was unfair. They might think they were tested without having the opportunity to prepare. They could worry that the results of the training could impact their employment and how their performance is evaluated. 

By communicating about the training from the start, you can get ahead of some of these concerns while fostering a postive attitude towards the training.

Download our email tempate for introducing the phishing training to your organisation in Danish or English.

Why not catch employees by surprise for the first simulation?

You might want to run the first simulation to get a baseline of how your organisation performs before making everyone aware of the training program. This makes sense - the first campaign is essentially the only opportunity you have to test entirely unsuspecting employees. Later campaigns will not come as news to them, even though they might still be unprepared.

Although it's tempting to send the first campaign as a surprise, we don't believe the benefits of this outweigh the costs. The main benefit is that you understand your organisation's starting point. But this starting point isn't going to be relevant for long, since it won't accurately reflect employee awareness once they know about the phishing testing. You'll also risk upsetting your employees, making them feel ashamed or tricked, and creating resistance to the training. 

Your organisation will probably forget about the training soon after you mention it

But, we've found that communicating about phishing testing ahead of time will not actually manipulate the end result much. Let some time pass before you run the campaign, and you may be surprised by how many have already forgotten about it. 

You can get insights into how well your organisation performs under normal circumstances

You're actually better resembling "normal circumstances" by telling employees about the training beforehand. In the future, they will receive real phishing emails while also receiving simulations. So, the data you get from running a campaign after communicating about the training will tell you how your organisation may respond to a phishing attempt in the future.

Your security culture depends on employees feeling positive about the training

Employees are more likely to accept the training if they are told about it upfront. They will appreciate the transparent communication and are less likely to feel misled. Feeling "cheated" is not an uncommon reaction among employees who weren't informed, and it can cause resistance to the training.
 

What to consider when deciding how to communicate about the training

What you hope to get out of the training will greatly impact how you communicate it.

If it's going to be a long-term program (which we recommend!), getting employees to feel positively about it is important. If it's a short-term project designed to show that phishing is a real danger, you might not care much about the communication part.

But ultimately, if the test demonstrates that your organisation is unprepared, you'll probably run more phishing campaigns in the future. It'll always benefit you not to alienate employees from the beginning

If you're still unsure, a few questions you can ask yourself to start are:

  • How do you think your employees would react and receive the training?
  • How would your employees feel if they found out after a campaign that you were really testing them?
  • How receptive are your employees to new things/change?
  • What is your standard way of introducing new programs to employees?
  • What is your organisation's culture around performance feedback?
  • What kind of culture and attitude do you want to create around the training? 

 

Still have a question?

Contact your customer success manager or contact us at support@cyberpilot.io