Cliff notes: Phishing “tests” at best are a waste of time, and at worst, disruptive and weaken your ability to defend against real phishing.
Bob Lord, the Democratic National Committee’s Chief Security Officer has a problem. Almost every other headline in the news these days talks about hacking and interfering in elections. His job is hard enough worrying about real attackers and real phishing. He doesn’t need to be wasting time responding to #fakephishing, but unfortunately that is what happened.
Two days ago, the Democratic National Committee alerted the FBI that the party’s voter database was the target of an attempted hack via spear phishing. Today, the DNC is reporting that the incident was actually an unauthorized penetration test, conducted by a *misguided technology firm on behalf of the Michigan Democratic Party. (*that’s the nicest way I can describe them.)
The motivation of a phishing pen-test doesn’t align with actual security improvement.
Every month we get requests from 10-person pen-test shops asking to use our phishing simulation platform. We tell them to pound sand. We are not about to let some cowboy pen-test shop ruin the reputation we’ve built by supporting a misguided annual phishing professional services engagement.
I said this in a blog six years ago (well, the younger, less corporate me said it): pen-testing isn’t the way to measure and improve resiliency to phishing. Let’s review.
I know the pen-test world and how they think. Pen-tests are designed to demonstrate a vulnerability. A pen-tester levels up in a customer’s budget by delivering the most salacious report possible.
Because a pen-tester thinks a phishing test is a once-a-year human vulnerability assessment, they throw every proven best practice out the window. Pre-announcing the test? Nope. Notifying helpdesk and IT teams beforehand? Nope. Clearly marking your phishing emails in the header so as not to confuse an Incident Responder? Not even once.
A pen-tested ignores everything required in a successful phishing simulation program aimed to promote human behavior change. Again, to a pen-tester, it’s not about improving phishing resilience and awareness, it’s about demonstrating the vulnerability.
But Aaron, don’t we need to first test to see how vulnerable we are to phishing?
Simply put, NO. Every organization is vulnerable to phishing. Everybody knows it. Without belaboring the obvious, the DNC is acutely aware of the damage phishing does.
The question isn’t whether phishing can work against your organization but how prepared are you to defend against it? What types of phishing emails work against which business units? And perhaps most importantly, how many employees report suspicious emails to your security team, so they can investigate and take action?
You don’t have to wonder. We publish the results from the largest dataset available on this subject every year. Here is the link to the most recent edition of the Cofense™ Phishing Resiliency Report. We also offer a Board of Directors Report benchmarked against industry vertices for customers to show their leadership how resilient their organization is, in detail and over time.
In the DNC’s case, people didn’t wait even two days to learn the emergency was a drill—they went straight to federal law enforcement. Who can blame them? Then the story hit the headlines. And now the clarification.
A better way to defend against phishing is what Cofense (formerly PhishMe) has done for 11 years. You tell employees that you’ll be sending them simulated phishing emails. You explain how identifying and reporting suspicious email helps protect the organization against the threat. You build response capability around those employees reports to capture the phishing emails your technology misses every week. (Yes, your email gateways are unfortunately that bad.) And as the program unfolds, you educate employees at every opportunity.
It’s collaborative defense—cooperative and transparent, not a cloak-and-dagger exercise that freaks out phishing targets instead of helping them help you.
Don’t let a phishing pen-test turn you away from the better alternative.
Bob Lord, I’m sorry this happened to you and I hope this doesn’t turn you off to a phishing simulation program in the future. We have 11 years of experience doing this. Cofense sends over 1 million simulated phishing emails per month, and none of them make national headlines, because we know what we are doing.
Too many times, organizations that pen-test for phishing with predictably poor results are unwilling to explore a true phishing resilience program. Once burned, twice shy, sure. But it’s not the same flame.
A phishing resilience program is just that, a genuine program, not a one-off test conducted in the shadows. The real deal will build trust, not endanger it. An expertly executed program will help you stop real phishing attacks in their tracks.
For another perspective on building phishing resiliency, view the Cofense “Left of Breach” e-book.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.