Rethinking Phishing Tests: A Call For Trust And Control

May 24, 2024

In today’s ever-changing cybersecurity landscape, phishing simulations have become a common practice for organizations aiming to bolster their defenses against threat actors. These simulations replicate phishing attacks, assessing employees’ abilities to recognize and avoid real phishing emails. However, as cybersecurity practices and tools evolve, there is growing skepticism about the relevance and impact of these assessments in enterprises with mature security programs and controls.

Enterprises are reevaluating their approach to phishing tests, emphasizing trust, comprehensive education, and advanced security controls to establish a positive security culture.

Before we delve into the discontinuation of phishing assessments, let’s underscore the significance of having mature cybersecurity controls in place. These mitigating controls include:

  1. Malicious and spam email filters: These filters help weed out suspicious emails before they reach employees’ inboxes.
  2. Email verification protocols (such as DMARC, DKIM, and SPF): These protocols enhance email authentication and prevent spoofed emails.
  3. Endpoint security controls: Measures like endpoint detection and threat response (EDTR), removal of local admin rights, application whitelisting, and PowerShell management contribute to a robust security posture.
  4. Security control audits and ongoing monitoring: Regular audits and automated control testing ensure that security measures remain effective.

When implemented correctly, these controls significantly reduce the likelihood of successful phishing attacks reaching employees. However, let’s explore some of the challenges associated with traditional phishing assessments.

Deteriorating trust is one of the biggest concerns when it comes to phishing campaigns, whether you pass or fail, or even if you are the one disseminating these campaigns to everyone else!

Simply put, phishing exercises may inadvertently erode trust between employees and the organization. Simulated attacks may trigger feelings of embarrassment or frustration, especially when mistakes have consequences. Such an approach can sow doubt and stress, hindering the development of a positive work environment and a culture of security.

For enterprises with robust cybersecurity practices, the benefits of phishing tests diminish over time. Employees who undergo these simulations regularly may become immune to them, reducing their effectiveness and potentially leading to complacency. In environments where advanced security measures effectively block phishing attempts, the practical value of these tests wanes.

Cybersecurity awareness and training should extend beyond merely spotting phishing emails. A comprehensive approach involves:

  1. Understanding cyber threats: Employees need to grasp the various types of threats they might encounter.
  2. Safeguarding personal, organizational, and client data: This includes adopting best practices for data protection.
  3. Emphasizing proper cyber hygiene: Regular reminders about password security, software updates, and safe browsing habits are crucial.

The importance of establishing interpersonal trust, partaking in comprehensive learning, and implementing advanced security controls all contribute to better workplace culture that embraces security at its core. This rounded approach acknowledges the role employees play in cybersecurity while also highlighting the critical importance of strong technical safeguards against potential threats.

Remember, effective security isn’t just about tests; it’s about fostering a security-conscious mindset across the organization. Trust and control go hand in hand, creating a resilient defense against cyber adversaries.

All of this is not to say that phishing simulation campaigns have no business in the workplace! They do help identify who needs additional cybersecurity training to avoid falling prey to a real phishing attack, and help sharpen the minds of those who know how to spot a suspicious message. Phishing is one of the most prevalent threats to an organization today…so everyone must be prepared to spot and report them!

Most Recent Post

Guide to Improving Your Company’s Data Management

Guide to Improving Your Company’s Data Management

Data is the lifeblood of modern businesses. It fuels insights, drives decision-making, and ultimately shapes your company's success. But in today's information age, data can quickly become overwhelming.Scattered spreadsheets, siloed databases, and inconsistent...

“Knowledgeable, reliable and trustworthy”

In addition to being knowledgeable, reliable and trustworthy, he’s very friendly and accessible. Would definitely use his services again.

Nyshie Perkinson

Senior Media Specialist, Center for Biological Diversity

Related Articles

Don’t Risk It! Why You Shouldn’t Skip Vulnerability Assessments

Don’t Risk It! Why You Shouldn’t Skip Vulnerability Assessments

Cyber threats are a perpetual reality for business owners. Hackers are constantly innovating. They devise new ways to exploit vulnerabilities in computer systems and networks.For businesses of all sizes, a proactive approach to cybersecurity is essential. One of the...

7 Common Pitfalls When Adopting Zero Trust Security

7 Common Pitfalls When Adopting Zero Trust Security

Zero Trust security is rapidly transforming the cybersecurity landscape. It moves away from traditional perimeter-based security models. In this approach, every connection attempt is continuously verified before granting resource access.56% of global organizations say...

4 Ways Small Businesses Can Leverage Copilot for Microsoft 365

4 Ways Small Businesses Can Leverage Copilot for Microsoft 365

What are some of the key differentiators that can propel small businesses forward? They include efficiency, productivity, and innovation. Microsoft has expanded the availability of one of its most dynamic tools to SMBs. A tool that can be a real game-changer for...