Implementing In 4 Steps:
Step 1: Import Your Users
Import all of your users’ email addresses so we can send them simulated phishing emails and training notifications.
Step 2: Conduct a Baseline Phishing Test
Send out a baseline test to all of your users to find out who is phish-prone.
Step 3: Train Your Users
Enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training course.
Conduct randomized phishing tests along with remedial training campaigns to help strengthen your human firewall.
We’ve broken these steps down with specifics below:
Step 1: Importing your users:
Preliminary steps before importing:
- Gather listing of all user email addresses you wish to import. We don't recommend importing “catch-all” email addresses or distribution lists that go to more than one recipient, e.g., “firstname.lastname@example.org”.
- Identify any groups you may wish to create. Groups can be used for targeted phishing and training campaigns.
- Decide if you wish to import any other user information other than email address. The fields you can import are as follows: First Name, Last Name, Phone Number, Mobile, Extension, Group, Location, Division, Manager Name, Manager Email, Job Title, Employee Number, Password. These fields can be used to customize phishing templates.
3 options for importing users:
- Active Directory Integration: this method is strongly recommended if you're using AD to maintain your users.
- Quick import: useful for importing fewer than 100 users.
- CSV import: useful for importing a larger quantity of users or including other data such as name, phone number, etc.
Useful documents related to importing users:
- Full User Manual for Users and Groups
- Active Directory Integration (ADI) Product Manual
- How to get emails out of Active Directory (for CSV import)
- List of Placeholders (for use in phishing templates/training notifications)
- Managing Multiple Email Domains
Step 2: Baseline Phishing Test
Preliminary test campaign:
We recommend that you run at least one phishing campaign that is limited in scope to only one or two administrative users who can confirm receipt and tracking of clicks on phishing links. This should be done before the baseline test and will confirm that our phishing emails are getting through any spam/firewall protection. This campaign can be deleted once the testing is successful.
Establishing a Baseline.
The first thing you should do, after your preliminary test campaign is successful, is conduct a baseline phishing test. Here are the recommended parameters for a baseline test:
Recommended settings for initial baseline phishing test:
Name: Baseline Test
Deliver To: All Users
Frequency: One time
Start time: Select the day/time (Monday or Tuesday is recommended, and a time when users are active and checking emails is best)
Sending: Send all emails when the campaign starts
Track Activity: At least 3 days
Templates: IT ---> Change of Password Required Immediately
Difficulty Rating/Phish Link Domain: Leave as-is.
Landing Page: If you'd like, you can choose a different landing page here, such as the 404 page, blank page, or a custom landing page that you've created.
Add Clickers To: Select a group if this feature is being used. (if you are unsure, leave this blank.)
Send email report: Checked (Email report will be sent to the admins when duration is met.)
Useful Documents related to Phishing:
Step 3: Training
We recommend that you train ALL users in your organization at once. We do not recommend that you include multiple versions of the Security Awareness courses in a single training campaign. Other courses such as Handling Sensitive Information can be included if you wish. For your initial Security Awareness training campaign, we recommend that you enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training.
Recommended settings for an initial training campaign for all staff:
Name: Security Awareness Training for All Users
Start Campaign At: Set as applicable.
End Campaign At: Select a Relative Duration of 3 weeks.
Courses: Kevin Mitnick Security Awareness Training - 45 Min
Enroll Groups: Select All Users (Check box to auto-enroll new users)
- Add a welcome email to users which will contain the link for your users to confirm their account and log in for training.
- Add additional reminder X days after enrollment and X days before the due date to remind users to complete their training on the specified schedule.
This will create a training campaign for all of your users, and as you add new users to the console in the future they will be automatically enrolled and receive a welcome email. Each user will have three weeks to complete the training. You can manually initiate notifications emails from within the console if users are taking too long to complete the training.
Useful Documents related to Training:
- Creating and Managing Training Campaigns
- Setting Up Remedial Training Campaigns
- Video: How to Set Up Training Campaigns
- Video: How to Monitor Training Campaigns
Step 4: Ongoing Phishing & Training
Ongoing phishing and training are KEY components to help manage the problem of phishing and social engineering. The following is an outline of ongoing actions we recommend you take:
Ongoing phishing campaign recommendations:
- At a minimum, send a monthly phishing test to all users.
- Include multiple email categories and types (Attachment tests, phishing, spear-phishing, reply-to).
- Spread emails out over a longer duration, such as one week, so users will not know when they are going to be phished.
- Add clickers to a remedial group (For example, you can call the group “Clickers” or “Phish-Prone users”), and assign this group additional training.
Ongoing training recommendations:
- Create a remedial training campaign. On your Remedial Training Campaign settings, you can choose to remove users from the Clickers group once they complete training, and enable them to take the training multiple times. See article here: How To Set Up Remedial Training and video here: Remedial Training Campaigns
- Train specific groups as needed on various specialty courses (Handling Sensitive Information, Mobile Device Security).
- Send out monthly “Security Hints and Tips” emails from the phishing templates area to all users.
- Set up a weekly "Scam of the Week" newsletter to keep your users aware and ready to defend against the latest phishing and social engineering scams. See: How to Set Up a Scam of the Week Newsletter