More than 90% of cyberattacks and resulting data breaches start with a spear phishing campaign–and many employees remain unable to discern these malicious emails from benign ones. To improve cybersecurity education, some companies are turning to a nontraditional method: Phishing their own employees.

Too often, companies only offer annual training on cybersecurity that doesn’t keep up with the evolving threat landscape, according to Wesley Simpson, COO of (ISC)2. “Using internal phishing exercises is a very inexpensive tool that helps fight the risk, and is an investment in staff’s knowledge and education,” Simpson said. “It’s not something that should happen once a year–it should be continuous.”

ISC(2) runs regular internal phishing exercises on employees. The IT team crafts the emails based on ones that employees actually receive, Simpson said: For example, those that mimic a coffee shop offering a free beverage, or a postal service package notification.

Before making the campaign public, companies should take a baseline measurement of how employees react to one of the phishing exercises, according to Carl Leonard, principal security analyst at Forcepoint. Then, you have a metric to measure improvement against.

SEE: How to make your employees care about cybersecurity: 10 tips

“A company’s most accurate results will arise from tests conducted when employees have not been forewarned,” Leonard said. “Ideally, they will be in a typical frame of mind and not in a heightened state of alertness knowing that a test will be conducted soon. This allows companies to more accurately baseline current status.”

From there, you can define what you will measure, and what success looks like. ISC(2) examines four main metrics: Clicking the link, opening the attachments, reporting the actual email, and how quickly an employee responds.

“You have got to have transparency back to the employees,” Simpson said. “Show them the results, and hopefully over each month, they can see progress.” This helps not only the individuals or teams that are susceptible to risk, but the IT team, who can determine which topics or departments need more attention.

ISC(2) views results anonymously, but can break them down by teams and departments. “You don’t want to turn off employees, or they won’t participate,” Simpson said. “Raising it up to a team or department still promotes participation, and people won’t feel like they’re called out individually. The No. 1 goal is education and awareness, not embarrassment.”

The organization also adds in an element of competition, with a leaderboard of how each department does to encourage improvement. Companies can also consider offering badges for best and most improved performance, Simpson said.

“Tech leaders need to understand that they are not immune to these spear phishing attacks,” Simpson said. “The sooner they assess where they are, the quicker they can start to fill in the gaps.”

SEE: Security awareness and training policy (Tech Pro Research)

Convincing the C-suite

How do you convince company leaders to take such a nontraditional approach to cybersecurity awareness?

“Management usually reacts to money and results,” Simpson said. “These phishing exercises are inexpensive, and can be done with existing staff. Once you start running them, the numbers speak for themselves. These are monthly reports that can show how the organization is improving.”

It also allows security leaders to determine areas of weakness, and target training to those areas, rather than taking a blanketed approach, he added.

Further, “you don’t need an expensive platform or software package to do this,” Simpson said. “Most organizations can do this with their staff today, just mimicking what a phishing attack looks like, using your current software or exchange platform to track metrics.”

A number of third party platforms are moving into this space as well. Smaller organizations that lack technical expertise can consider tapping one of these vendors to help them run an attack. Some services, such as PhishNet, will send phishing emails to employees, and, if they click on them, will immediately send them to a brief training page, as well as analyze problem areas.

To convince leadership that this is a worthy educational exercise, IT needs to ensure that they are communicating the risks and need in business terms, rather than technical jargon, said Roberto Valdez, manager of risk advisory services at CPA firm Kaufman Rossin. It’s also key to communicate that employees are not confined to the organization’s network, with the rise of BYOD and work from home policies.

“Your people and the cyber risk extend beyond the boundaries of the network,” Valdez said. “The footprint of risk is much broader. Invest in your people, train them, and have them understand their role as a stakeholder in the security process.”