How to get the best of notifications you may send to your employees
CultureAI has several notifications that you can send out to your employees to alert them of behaviours, in this guide we'll go over some examples of best practices when creating them.
The basics
There are a few basic points you should be thinking about when creating your notifications to ensure they're as successful as possible. We'll quickly run through these below.
- Use JIT training where applicable - You can see our guide on enabling JIT training by clicking here. Using JIT training gives instant, in-the-moment small training module. Even if employees don't complete this training, seeing the first page can be enough to have an impact. It's important to have this enabled to get the best of your JIT notifications.
- Decide on a consistent tone across all your notifications - Choose your messaging style. Would you like to take a light-touch, awareness-focused tone, or a firmer information-based tone? Whatever you choose, ensure that the structure, tone, and writing style are consistent across all notifications.
- Don't over-notify - It can be tempting to create notifications for everything, however, over-notifying can lessen the impact of those notifications. If employees are receiving multiple notifications a day, this can run the risk of them just becoming 'noise' and starting to be ignored.
- Use repeat occurrences - Repeat occurrences allow you to customise notifications based on the number of times an employee has done something. This is important to give escalation to ongoing security behaviours and stops the employee from seeing the same thing every time. (please click here to see our guide on setting these up)
- Utilise your team managers - You can create notifications that will also alert the employee's manager. This helps keep your managers aware of employees who are showing repeated security behaviours and offer personal assistance to the employees who need it
- Send positive notifications as well - Your notifications don't have to be just risk-based, you can create notifications thanking employees for reporting emails. This gives your employees recognition and helps encourage continued reporting.
What makes a good notification?
Notifications are intended to make employees aware of their security behaviours, a good notification should include a simple explanation of what they did wrong, how your company views this, and what they can do in future to improve.
Your notifications should serve a clear purpose; are you just aiming to raise awareness, pushing for active improvement or enforcing company policies?
It's important that you have a set goal for your notifications, and you make that goal clear to the employee receiving the notification.
For example, if you set up a notification to tell an employee that they used a weak password like this;
Hi there,
We detected that you used a weak password, please don't use weak passwords.
This gets across the basic message, but it missing something. You need to think about;
- Why is using a weak password bad?
- What makes a weak password?
- How can they improve this?
This gives employees something to think about. You don't need to over-explain everything, but a few simple sentences to explain why a behaviour is bad for security, and how they can improve it makes for a successful notification.
Notification templates
Everyone will have different cultures and tones they want to use for their notifications, you know your employees best, and what they will respond to better.
To help you get started and give some inspiration, we've created some basic templates in different tones that you can use and edit to suit your needs.
In these examples we'll be using the 'Clicked a simulated phishing link' notification as an example. However, you can use these tone guides to create other notifications.
All our templates will make use of personalisation tokens, which will appear with '%%' at the start and end of the token. We will also use repeat occurrences to show how you can escalate employees who continually show the same behaviour.
These templates may not fit your exact structure or internal process and they take some assumptions of process for the sake of outlining examples, but you can use them as a starting point to create something that fits for you.
Light-touch, awareness focused tone
Using a "Hey, we just wanted to let you know..!" style of notification gives the tone that you're wanting to flag issues and help employees improve their behaviour. This gentler, more casual approach can help employees feel less embarrassed when they make a mistake and more likely to reach out for help when they need it.
The first notification
Hey there %%Common | Employee | Forename%%
You clicked on a phishing link, whoops!
Don't worry this was only a simulated phishing email! We all make mistakes and we want to help you improve your security savvy.
Here are some things you can look out for in the future to help you identify a fishy-looking phishing email;
- Spelling and bad grammar - Is everything up to snuff? Phishing emails will sometimes include poorly worded sentences or incorrectly spelt words.
- Call to action - Does the email seem oddly urgent, is it asking you to do something quickly with some sort of consequence if you don't?
- Links or unexpected attachments - Is there a link to click on, or a file to download? Check before you click on anything!
- Incorrect domains or links - Is the sender using the correct email? You can always search for a company's email to check if it's the right one.
Don't forget to head to your security centre to check your score!
Second occurrence
Hey hey %%Common | Employee | Forename%%
We can see that you clicked on another phishing link at %%Click Time%%
Don't be upset, some emails can be hard to spot! We're running these simulations to give you the chance to train yourself and become a phish-proof fortress.
If you feel like you need some extra help, please reach out to our cybersecurity team at helpcyber@company.com
They can give you some tips and pointers to help you better spot phishing emails.
Remember, look out for these in any emails you're sent;
- Poor spelling and bad grammar
- Call to action
- Links or unexpected attachments
- Incorrect domains or links
Third occurrence
Hey %%Common | Employee | Forename%%
Oh dear, you clicked on a phishing link again!
We can see that you've clicked on a few simulated phishing links now. We really want to help you get your security skills up and help keep our company secure.
We've let your manager know (don't worry! You're not in trouble), so they can book you a meeting to go through some email phishing training, answer any questions you might have, and send you some resources you can use to check before you click on an email.
Firmer, information-based tone
If you want to focus on ensuring that employees are aware of their mistakes and understand they need to change their behaviour, going for a firmer tone can help with this.
This brings across the message that you're cracking down on insecure behaviours and want to ensure that everyone is aware of where and how they can improve.
First notification
Hi %%Common | Employee | Forename%%
On %%Click Time%% you clicked on a phishing link.
This was a part of a simulated phishing campaign we're running to measure and improve our security awareness company-wide.
Please be more careful in the future.
Here are some things you can look out for in the future to help you identify Phishing Emails
- Spelling and bad grammar - Phishing emails will often use poor spelling and grammar.
- Call to action - Is it asking you to do something quickly with some sort of consequence if you don't?
- Links or unexpected attachments - Is there a link to click on, or a file to download? Check before you click on anything.
- Incorrect domains or links - Is the sender using the correct email? Always search for a company's email to check if it's the right one if you're unsure.
Second notification
Hi %%Common | Employee | Forename%%
On %%Click Time%% you clicked on a simulated phishing link, this had the subject of '%%Scenario | Subject%%' This is the 2nd time you've clicked on a phishing link.
This was part of a simulated phishing campaign we're running to measure and improve our security awareness company-wide.
We want to ensure you're getting the correct training you need to help you improve your security behaviours.
You have been assigned a training module in your Security Centre. This training module is mandatory and must be completed.
Please complete this as soon as possible
Third notification
Hi %%Common | Employee | Forename%%
On %%Click Time%% you clicked on a simulated phishing link, this had the subject of '%%Scenario | Subject%%'
This is the third time that you have clicked on a phishing link.
As a result of this, we will be passing this on to your line manager, they may escalate this to our HR disciplinary process if needed.
If you have any concerns, please reach out to your manager.
Next steps
Now that you've set up your notifications, give them a couple of months to run.
This will allow time for your employees to trigger them and receive the notifications, you can then either directly gather feedback from your employees, or take a look at your reports to see if these notifications are having a positive impact on employee behaviour.
If you find that your notifications don't seem to be helping improve behaviour, it's time to go back and review your notifications. Here are some things you can think about changing;
- Tone - Consider adjusting the tone of your notifications to make them more engaging.
- Length - If your notifications contain a lot of information, think about shortening them down so they're quicker to read
- Engaging actions - You can add on some tasks that your employees will need to complete, such as training. This will encourage employees to act upon the notification, rather than just giving it a once-over
- A helping hand - Giving employees a way to get direct, personal help could improve your employees' security behaviours. Set up some 'security advocates' that employees can contact to get some personal advise from a friendly, human face.