Managing repeat clickers is critical to maintaining robust organizational security, as these individuals significantly increase the risk of successful phishing attacks.
According to a recent analysis of 6,000 employees receiving simulated phishing emails, about 6% of users were responsible for approximately 29% of the failures.
Recognizing this could help maximize the return on investment (ROI) of your security budget. Allocating more training resources to repeat clickers might be beneficial.
By focusing your security awareness training campaigns on those who need the most help, you can potentially reduce the overall risk to your organization.
What is a Repeat Clicker?
A repeat clicker is an employee or user who consistently falls for phishing attempts despite undergoing security awareness training. These individuals pose a significant risk to organizational security.
It’s crucial to clearly define what constitutes a repeat clicker, taking into consideration that learning takes time. We recommend looking at employees who fail two or more simulations per quarter or half, depending on the frequency of your phishing simulations.
Why do Employees Keep Clicking?
To effectively address the issue of repeat clickers, it's crucial to first understand their motivations.
Employees often respond to phishing emails due to emotions that cybercriminals exploit:
Fear: Strong language creates urgency, convincing victims that inaction will result in severe consequences.
Respect: Emails appearing to come from authority figures compel compliance without question.
Greed: Promises of rewards or financial gain trick victims into acting hastily.
Helpfulness: The desire to help others leads to falling for pleas for assistance.
Other factors include sophisticated social engineering, urgent language, and the busy nature of modern work environments, which make it difficult for employees to scrutinize every email.
How to Help and Manage Repeat Clickers
To manage repeat clickers, your role as a CISO or security leader must shift from thinking about protecting your organization to thinking about how you can motivate your employees to protect themselves and, eventually, your organization and their colleagues.
Deliver consistent and repetitive communications about phishing and cybersecurity. Use email newsletters, posters, and nano- and microlearning videos to give your employees the same message about phishing and the signs of phishing.
Give employees personalized, high-quality security awareness training that is engaging, interactive, and relatable. Use self-directed online learning, gamified training, and real-world scenarios.
Use phishing simulations to measure how well employees are responding to the training. These simulations help you identify your repeat clickers, allowing you to rethink the training they receive and understand where training is not resonating.
Many people are motivated by competition and rewards. If this fits your organization’s culture, set up a way to reward people who change their click rate response and recognize their improvements.
Communicate with your repeat clickers that there are consequences to their behavior. Use real-world examples or simulations to emphasize the personal and professional impacts of clicking a link or downloading an attachment. Help people understand the severity of repeat clicking.
Consider taking further action—disabling email or blocking access to certain websites or internal pages when a repeat clicker does click can help show users the potential harm that comes with a successful phishing attack.
Remedial Approaches for Repeat Clickers
Punitive measures, such as terminating an employee for repeated failures in phishing simulations, often prove ineffective and can create a culture of fear.
Instead, if initial training efforts aren't enough to curb repeat clickers, consider implementing these remedial approaches to better manage their behavior:
Additional Training
Consistent and tailored remedial training is essential for reducing the incidence of repeat clickers. Some organizations provide personalized, high-quality training that is engaging and interactive.
This training might include more in-depth explainer materials and game modules to ensure employees understand the risks and how to avoid them.
Escalation Process
An escalation process can help manage repeat clickers by increasing the severity of consequences with each subsequent click. Here’s what this could look like:
Upon failing their 1st phishing simulation:
User launches a point of failure page, which reinforces potential signs of a threat actor’s lure
User is assigned an additional remediation training course to reinforce potential signs of malicious emails
Upon failing their 2nd phishing simulation:
User launches a point of failure page which outlines potential signs of a threat actor’s lure
User is assigned an additional remediation training course to reinforce potential signs of malicious emails
User receives additional coaching from their direct manager to reiterate the importance of pausing and risk to the company if a system or data breach were to happen
Manager follows up with an email and asks for their commitment going forward; expressing that ongoing failures will be more formally documented with HR
Upon clicking a 3rd phishing simulation:
User launches a point of failure page which outlines potential signs of a threat actor’s lure
User is assigned an additional remediation training course to reinforce potential signs of malicious emails
User receives an email from HR reinforcing the vulnerability that the user is creating toward the company
User’s access to all social media platforms is suspended until authorized by HR or IT leadership
User required to attend instructor lead training on security awareness best practices
Keep in mind that celebrating success is just as important as bringing attention to shortcomings. So, make sure to also reach out to their managers or the users themselves when they have done something right.
A simple “thank you” or “well done” goes a long way.
Get Human Resources Involved
Repeat clickers are likely the cause of a real breach. If all remediation efforts are not working, it may be time to involve Human Resources to document their performance and, if appropriate, put them in a performance plan.
It’s crucial that these conversations are as positive as possible, explaining the risk their behavior creates for the company and the efforts taken to help them succeed.
Remediation plans must be laid out at the beginning of the program and presented positively, not as a punishment.
Enhancing Organizational Security by Managing Repeat Clickers
Managing repeat clickers requires a proactive and strategic approach. By delivering consistent messages, integrating security awareness into your culture, providing engaging training, and clearly communicating the consequences of repeat clicking, you can significantly reduce the risks these individuals pose.
With targeted efforts, you can enhance the overall security posture of your organization and ensure that all employees are better equipped to recognize and respond to phishing threats.
Check out our sample training videos to learn more about effective strategies for engaging users and improving your organization's security awareness.