Phishing attacks have been a pervasive threat faced by organizations of all sizes for a long time, but recent advances in attack strategies have seen phishing develop in sophistication, prevalence and effectiveness. So much so, in fact, phishing is the number one attack vector of choice for cyber-criminals and is the root cause of almost all data breaches.
As a result, more and more businesses have been turning to phishing simulation testing – the sending of ‘deceptive’ emails (designed to mimic real malicious emails) by organizations to their own staff – to gauge and raise the awareness of phishing risks among employees. The concept behind phishing simulations appears to make sense, but like all awareness-raising efforts, effectiveness comes down to strategic management and an understanding of how to get the most out of the training process.
One company that focuses on phishing defense and mitigation is Cofense (formerly PhishMe), and Infosecurity recently spoke to co-founder and CTO Aaron Higbee to explore the ins and outs of phishing simulation testing.
How vital a part of phishing awareness raising efforts is staff phishing testing?
According to the National Training Laboratories, retention rates for learning are over 75% when simulation methods are used for training. When an organization simulates a phishing attack, they allow their staff to practice in a safe environment – and in the same place they would find a real phishing email – in their inbox. When the term ‘test’ is used, this is typically in alignment with a penetration test, which isn’t a training opportunity. Simulations are not for testing. They are for conditioning a prepared response to REAL phishing.
How do you run the most effective staff phishing simulation programs within the modern enterprise?
Based on the data we’ve seen from years of enterprises simulating phishing training, we know it can take up to four scenarios for some individuals to change their behavior. When an organization is just getting started, they should run more frequent campaigns (monthly) to get their staff trained. As the organization becomes more resilient, they can back off to a quarterly cadence. They should also align their scenarios with current phishing threats being seen by the organization. This is where having the operator of the phishing training program work closely with the security operations team can yield a benefit in reducing the overall risk to the organization.
Do enough organizations currently implement staff phishing tests?
While simulated phishing has been around for over 10 years now, we still have new customers adopting this method. Organizations of any size are susceptible to a phishing attack and all should be training their staff on this behavior risk that is the source of over 90% of data breaches. It’s for this reason that we offer free resources to organizations under 500 employees, so that cost isn’t a hindrance to ensuring they are able to withstand a phishing attack.
How important is it to regularly tailor/update staff phishing tests?
The phishing threat landscape is continuously changing. As organizations continue to update their technical controls to mitigate an incident, threat actors are adjusting their methods to bypass these controls. It’s important for organizations to continuously update their simulation templates to align with the current threat. This allows for a better trained staff to have a heightened sense to detect a suspicious message – even if it’s one they haven’t previously seen.
How important is it to correctly manage and use the results of staff phishing tests for further education of staff?
When staff have visibility into real phishing messages that are hitting the organization, it provides insight into the fact that the organization is susceptible to phishing attacks. This also reinforces the appropriate behavior that reporting is important to the security team.