Month #Two of the MSP Roadmap
Checklist
✅ Analyze baseline campaign results.
✅ Run training campaign as follow-up to baseline campaign.
✅ Run first official phishing campaign.
By Month #2, the results of your baseline phishing campaign will be available. You'll want to analyze the results to determine where the vulnerabilities are in your organization. There are some helpful tips for doing this in the Analyzing Results section. Remember to run your baseline campaign again on credential theft to the same recipients in six months or a year, using a different template, to determine if security awareness has increased.
First Training Campaign
If you ran your baseline campaign on credential theft, an appropriate follow-up training course would be Password Protection. You can set this up in the Training section of your MSP Admin Dashboard as explained in the Create Training Campaign section of the MSP Admin Setup guide. Select the Training Topic Authentication, and then Password Protection from the Training Course dropdown menu.
After you've selected your training topic and course, you'll have choices to make in the SafeTitan user interface:
Just like the phishing campaign, you can select to run the training campaign between eight days and two weeks, giving people on vacation a chance to respond.
Enabling an email assignment to be sent to recipients is useful to focus their attention on the training request and its purpose. Likewise, it is good practice to issue an email on course completion. Recipients may inadvertently close the training without submitting it, so the email also acts as evidence of their training completion.
Even though you selected recipients randomly for the baseline campaign, you can send the training campaign to everyone.
It is suggested that all training be made mandatory. An exception might be if you decide to hold a cyber security month, in which you run multiple training campaigns. Training such as that could be made optional.
An acknowledgement from the recipient isn't necessarily needed here. If you created training based on an organizational policy, then you may want to have recipients acknowledge that they've read the policy as this is something that you may want to record.
When training is required of everyone, as in this case, generating certificates on completion is a positive action to take. Encouraging managers to print them and display them also shows solidarity and reinforces the need for security awareness.
By enabling feedback, an MSP can learn some valuable information from customers, such as their feelings towards the training and any issues they might be experiencing with security awareness in their organization.
First Phishing Campaign
Next you can run your first official phishing campaign. If you ran your baseline test on credential theft — which you'll repeat later in the year — you might want to run this campaign on a theme such as Data Privacy or Safe Internet. The templates, Mail Service — Privacy Compromise or Paypal — Target Inc., are suitable choices.
Here are some additional points to keep in mind:
Send the campaign to everyone this time, as you want to encourage people to realize the importance cyber security and engage on a regular basis with training. When you did the random baseline phishing campaign, you obtained a sense of where the organization could be in terms of security awareness. But to drive the organization to where it should be in terms of awareness, training for everyone is recommended.
Like the baseline campaign you did in Month #1, keep the complexity and sophistication low. You're doing this because you want to accurately determine how your recipients are engaging with the campaign. It's also important to reinforce the learning and encourage behavioral change, ensuring all individuals are "climbing the learning ladder" in tandem. Moving too quickly to a more sophisticated campaign might not be the most beneficial choice if the level of cyber security awareness in an organization was low to begin with.
Remember the importance of how to schedule your campaign as well as previewing the email before creating the campaign, which were highlighted in Month #One.