Phishing tests are a useful tool in employee cyber-security training. The idea is that a message is sent out to employees mimicking a phishing attack to test the employee’s cyber awareness. This can be a useful exercise to keep your employees on their toes about maintaining cyber-security, however, there are some difficulties with this tactic of training as well. Below are some pros and cons of phishing tests.
Pro: Teaches Employees How To Spot Phishing Attacks
Simulating a phishing attack can teach employees how to spot genuine attacks in their inboxes. “By showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.” (Tessian).
Con: Phishers Are One Step Ahead
Sometimes, the phishing emails we use as tests are outdated and less sophisticated than real attacks. “Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months ago may not be today.” (Tessian).
Pro: Fosters A Security Culture
Running these types of assessments fosters a culture of cyber-security awareness. “It takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective. That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.” (Tessian).
Con: Expensive
Despite the benefits of cyber-security training, human error still prevails. Therefore, the more time you spend running these exercises, the less money you save and the more money you lose by taking up your employee's time. “Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.” (Tessian).
Pro: Identify Risks
You can evaluate which departments are most at risk. “By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?” (Tessian).
Con: Over-Doing It
Sometimes these phishing simulations can prey on the emotions of your employees. Its important to have moral ground for these exercises and to respect your employees' state of mind. “Breaching trustwith employees by neglecting the care of those who have fallen victim to social engineering attacks can damage the very relationships that you rely on to protect your assets and data. While social engineering is something that must be done to support attack chain simulation, we must be mindful of the human cost and take steps to ensure damage to victims is minimized.” (Computer Weekly).
Overall, phishing attack simulations can be a useful tool to train your employees. However, they should not be the only form of cyber-security training that you regularly use. Moderation is key. When carrying out phishing tests, keep these pros and cons in mind to decrease negative aspects of the exercise.
Have any questions about cyber-security? Responsive Technology Partners is the leading cyber-security expert in the Athens, Metter, Milledgeville, Vidalia, and Atlanta, Georgia areas. We also have locations in Tampa, Florida, Roanoke, Virginia, and Raleigh South Carolina. Service offerings include I.T. support, cyber-security and compliance, telephony, cloud services, cabling, access control, and camera systems. Our company’s mission is to provide world-class customer service through industry leading I.T. solutions that make every customer feel as if they are our only customer. Please visit our website to learn more: https://www.responsivetechnologypartners.com/.
Sources:
Computer Weekly. https://www.computerweekly.com/opinion/Phishing-tests-are-a-useful-exercise-but-dont-overdo-it?utm_campaign=20220211_ERU+Transmission+for+02%2F11%2F2022+%28UserUniverse%3A+347967%29&utm_medium=EM&utm_source=ERU&src=9156821&asrc=EM_ERU_205550218&utm_content=eru-rd2-rcpB
Tessian. https://www.tessian.com/blog/pros-and-cons-phishing-awareness-training/