Repeat clickers/offenders/customers, whatever you call them, I’m talking about the people that keep showing up on your phishing drill reports. There are a few considerations when thinking about how to get the message across.

There’s an uncomfortable truth that security people need to face up to, if you’re seeing the same names on your phishing drill reports month in month out, you cannot blame them, your education and awareness efforts aren’t enough.

In my experience, these people represent about 0.4% of the overall population which means it’s a very low risk. The good news is, cybersecurity awareness people can still reduce this risk for their organisation.

One organisation I worked with wanted to go full fire & brimstone – disciplinary processes that got more severe each time someone failed a drill, HR involvement, eventually termination of employment. This didn’t sit right with me, we’re giving these people a chance to test their phishing spotting skills and then punishing them for engaging. It would open up a legal/ethical minefield, and make them deeply distrustful of security.

Sure, repeat clickers should get attention from security teams, but rather than telling these people off, security teams should be spending time with them to understand where the gaps are in their education and awareness activities, obviously something isn’t getting through, or you’re not making them care.

My top tips for dealing with “repeat clickers”:

• Speak to them. You might just learn something about human psychology and attitudes to cybersecurity.
  • Telling people to always be careful isn’t enough, understanding them and using them as an asset is the way.
• Never shame them. Unless you want to give security a bad name and put people off from ever engaging with security.
• See them as anopportunity to strengthen your awareness/education efforts. Leadership will love that you’ve been able to reduce a risk by being proactive and not costing them more money.