Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Things to leave behind in 2024: bad habits, self-doubt, limiting beliefs...and phishing simulations?
For many security defenders, sending a phishing simulation test to the employees within their organization is a key part of their weekly routine. IT Brew previously reported that more than one-third (34%) of IT and security decision-makers send the faux tests at least every two weeks.
Bone to pick. However, several security experts who spoke with IT Brew said that they have gripes with the popular cybersecurity exercise. Mike Britton, CIO of San Francisco-headquartered cybersecurity company Abnormal Security, for instance, told us that phishing simulations often feel “very arbitrary” and like they are done solely for compliance purposes.
“Part of my problem is I can always make people click, or click more or click less,” Britton said. “If I want people to click more, I’ll make it super difficult. If I [want to] make people click less, I make it easier.”
Britton added that this makes it difficult to accurately gauge if phishing simulations reduce risk within an organization or have an impact on employee awareness of threats.
Mark Stamford, founder and CEO of information security company OccamSec, told IT Brew that he views phishing simulations as “mostly a waste of time.” He said that organizations often have a “distaste” for realistic simulations that bad actors are likely to pull off and that it is hard to assign appropriate and meaningful consequences to those duped by the scheduled exercises.
“At this point, it’s kind of a CYA [cover your ass]. We did the simulation. We got a really low score. Nobody clicked. Move on,” Stamford said. “It has no bearing on your actual risk to a phishing attack. It just means that someone passed the test somewhere.”
End of an era? When queried on whether or not organizations should move past using phishing tests on employees, responses amongst the security leaders queried by IT Brew varied. Stamford told IT Brew that organizations should do away with phishing tests unless they are looking to “check a box.”
“You should really focus on the real world risks,” Stamford said, adding that organizations should take a proactive approach to mitigating risks associated with phishing attacks.
Others, however, told IT Brew that the industry shouldn’t wash their hands of the imitation emails just yet. J Stephen Kowski, field CTO of SlashNext, a California-based generative AI-powered messaging security firm, told IT Brew that while he doesn’t think phishing tests are a perfect solution, he doesn’t foresee organizations getting rid of them because they are required by cyber insurers.
“That’s the number one reason people get these phishing tests,” Kowski said.
Brian Miller, principal security culture specialist at Ivoryware, a Missouri-based security awareness company, told IT Brew that organizations should still want to occasionally run phishing tests because of the critical information they can provide.
“You should still occasionally run those tests because they do still illuminate who in your enterprise is wildly susceptible to these attacks,” Miller said.