Share:

While perusing reddit.com, a well-known social hotbed of ‘intellectual superiority’, I came across the following string:

*sigh* Asked by the boss man to phish the team…

What I discovered is what appears to be a never ending lamentation on the ‘uselessness’ of phishing tests. I couldn’t agree more.  Phishing ‘tests’ are indeed useless.

This is particularly true when phishing tests are executed in a manner inconsistent with obtaining meaningful results. After all, as many in the string seemed to agree, these ‘tests’ are fraught with peril like – “Everyone failed so the boss panicked and pulled the plug because leadership didn’t expect it to be that bad.”

Was that meant to imply that your CISO didn’t already know phishing was a problem? Or are you saying that everyone panicked because the organization doesn’t know how to respond a phishing attack?

My question then: Why haven’t you fixed that?  Because neither of those conditions seem good to me.

And, of course, what would this conversation be without the requisite posturing… “My security systems would have caught it anyway… so what is the point of doing this?”

Excellent question.  But, if your security technology would have caught these phish in the first place, why is the news full of reports about breeches initiated with a phish?

Answer: Because technology will never outsmart a Con.

This is because the Con-man’s focus isn’t on your technology. It’s on your people. Which means your people need to be ‘hardened’ against attack as much, if not more than, your infrastructure.

So, the REAL question becomes, “If a test that points out the obvious doesn’t fix the problem, what will?”

The solution is the implementation of a well-designed security program that fosters transparency in your environment and actually empowers users to recognize and respond to phishing attempts appropriately.

Sounds nice.  But, can this be done?

Absolutely, it’s just that most pen-testers conclude their “phishing tests” with a report that highlights the details of a well-known existing vulnerability, while at the same time, offering no constructive recommendations for measurable improvement.

“Let’s just see how bad it is again next year.  I bet we can fool even more people!”

This self-serving easy peasy ‘phishing test’ approach, frequently promoted by DIY online phishing and pen-test vendors, is actually destructive of company culture. Further, it can seriously damage an organization’s ability to protect itself by driving the issue underground, as demonstrated in the rather ‘self-reflective’ reddit string above.

I know from years of experience with behavioral conditioning, that a well-executed and appropriately focused program can bring astonishing results and tip the balance of phishing risk in your favor.

Getting the type of results demonstrated in our Enterprise Phishing Susceptibility Analysis requires that you keep the end goal of such efforts in mind.

Remember, the goal isn’t to prove that a phishing risk exists.  The REAL goal is to mitigate the breadth of your organization’s exposure to phishing risk in an inclusive and structured way.

  1. Be open and transparent with your associates about the problem and their part in resisting phishing attacks.
  2. Foster an environment that encourages reporting of suspected attacks, even after falling for one.
  3. Execute a phishing program that identifies weak spots with a variety of phishing emails and drives recognition through repetition.
  4. Communicate your plan and provide focused results to your Technology AND Business Stakeholders.
    • Reduced susceptibility
    • Reduced repeat offenses
    • Increased reporting

By focusing on these outcomes, you will create an organizational culture that understands the substantial nature of the phishing threat and that, on the whole, is able to resist and defeat the threat through increasing the number of users that are able to defend the primary point of entry for phishing attacks, the employee’s own email accounts.

So, again, I agree.  No single ‘phishing test’ will give you the kind of results a program with the above characteristics will- PERIOD.

 

John ‘Lex’ Robinson

PS – Lest I be misunderstood… Yes, you need your infrastructure too… But consider, who builds a fortress with no guards at the gate?