The key to education

You Need More Than Simulated Phishes


Many Executives, and Business Owners view Security Awareness Training as just another thing on their plates. It is tempting to just “go through the motions.”

After all, if you have a program in place, that should be enough. Right? WRONG! Let’s see how in the following scenario.

Scenario: How “Going Through The Motions” Caused BIG Trouble

Justin is the owner of a small but profitable HVAC company. Like all owners, he’s busy. One day, his accountant convinced him to get cyber insurance. Justin was annoyed at the insurance company’s insistence that he had specific practices in place before they would issue a policy. It turns out that Justin needed written IT policies, security programs, and a Security Awareness Program with simulated phishing attacks to train his people. Justin grudgingly complied.

Justin found a company that had a Security Awareness Program with online employee training, simulated phishing attacks, tracking reports, and even a policy module so he could quickly get the program up and running and satisfy his insurance company. So Justin signed up, and the insurance company issued the policy.

Justin set up the program, informed his employees on the new training requirements, and set up the simulated phishing program. He could automatically send simulated phishes to his staff monthly, putting the program on autopilot. Or, so he thought.

The program worked flawlessly. Each month, it would send a different phish to his employees. Anyone that clicked on the “infected link” would get a notification email.  The program also had reports showing who took the training modules, how they scored, those employees that failed the simulated tests, etc.

Great! Except that Justin never managed the program. As we are all aware, “what is not tracked does not get done.”

Then The Unthinkable Happened

One day, a trusted employee clicked on a bogus link in an actual email that not only infected his PC but spread to the entire network. Shortly after, the whole network went down. It was ransomware!

It took weeks for Justin to recover, severely hampering his business. In addition, he had to let half of his crew go since he lost many clients. Finally, Justin filed a claim with the insurance company.

And Now, The Consequences

The insurance company’s investigation quickly discovered that Justin’s Security Awareness Training Program was only on paper. He never managed the process, held his employees accountable for the ongoing training, or even spoke to employees who failed the phishing tests. In fact, the employee that caused the problem never took one online training module!

Justin’s insurance company refused to cover any damages caused by the attack. As a result, Justin went out of business within nine months.

Did You Spot The Red Flags?

  • Justin signed up for a Security Awareness Program with an eye on an easy fix. Unfortunately, he was only concerned with optics.
  • Justin let the program go entirely unmanaged, did not track employee progress, or force compliance.

Security Awareness Training Is Serious Business—Don’t Discount Or Neglect It

It may be a cliché, but it is true, people are the weakest link in security, and every cybercriminal in the underworld knows it.

Here is an indisputable fact: no matter how much money you spend on your IT—one errant click on an infected link can bypass your security systems and bring your entire network down.

Justin failed to understand this fundamental concept, and he paid a very high price.


The best approach to security is layered protection. This means using technology, written IT policies and procedures, IT Backup & Disaster Recovery solutions, written Disaster Recovery Plans, and a well-run Security Awareness Training Program.

Your Security Awareness Training Program should include:

  • A required Annual Security Training module
  • Weekly online video security training
  • A monthly security newsletter to keep all up-to-speed on the latest security issues
  • Monthly simulated phishing attacks with varying degrees of difficulty to test users
  • Detailed management reports so you can track user progress

The most crucial ingredient is management participation. Programs are useless unless users are held accountable for taking the training. Without management oversight, you’re wasting money, and it’s only a matter of time before your company ends up like Justin’s.

XSolutions is an IT Services Provider serving New York (NY), New Jersey (NJ), and Connecticut (CT). We provide Managed IT Services | Managed IT Security | Backup & Disaster Recovery| Cloud Data Protection | Security Awareness Training. Call (845) 362-9675 for a free consultation.