Serious question, after a phishing drill at my office in Phoenix, I'm rethinking our whole training approach.

The IT team sent a fake invoice link and over half the staff clicked it. Some say we need more frequent, scary drills to keep people on edge. Others think that just makes people anxious and we should focus on simpler, clearer rules instead. What's your take on the best way to run these security tests?

3 comments

3 Comments

campbell.robin2mo ago

Lol I'd have clicked it too, my inbox is a war zone. @the_michael has a point about pressure, but maybe we just need a dumber checklist.

jake_martin163mo ago

Man, I feel this. Honestly, those scary drills just train me to panic-click anything to make the warning go away. Tbh, if over half your people failed, the test worked perfectly by showing the real problem. Ngl, I think clearer, simpler rules about checking sender emails would help way more than another surprise attack. Just my two cents from someone who definitely would've clicked that fake invoice.

the_michael3mo ago

Yeah but that's exactly why the drills need to feel real. If you're just trained to check a box calmly, you won't feel that rush to click when a real one hits. The panic is the point, you gotta learn to stop even when you're stressed. Clear rules are good, but they don't stick without the practice under pressure. The test showed people need more practice, not less.