Simulated Phishing - How your Security Team is putting you at Risk!
10 August 2017 11:13
Today, Security and IT teams are tasked with the impossible challenge of balancing their security profile with budgetary limitations. Coupled with this is all of the impending regulatory requirements like GDPR coming down the pipe… Sounds like an impossible task, right?
Getting The Quick Win
It's no wonder that creating a sense of security is often enough to pacify the board on the basis that the business is “doing the right thing” or “taking a step in the right direction”, and there are a number of tools that fall into this, simulated phishing being one of them…
Now, I run a company that has developed a simulated phishing tool so it may seem strange when I say that running simulated phishing exercises on your employees can put your business at RISK !!!!
I will say it again…
Running Simulated Phishing exercises on your employees can put your business at RISK !!!!
Ok, so why would I say this when for the most part I encourage people to run them?
It Is Almost Impossible To Maintain Objectivity
If you are running internal Phishing Simulations there are generally two approaches that IT and Security teams adopt
- Looking for favourable results to paint them in a good light and reinforce that they are doing things right.
- Looking to overly exploit the targets to reinforce the fact that Security is a real issue, just like you have been telling them all this time.
No Experience In Interpreting The Results
If you run a Phishing Simulation and the results are not interpreted properly, the exercise is worthless. Any exercise like this requires a Security Professional (preferably independent) to analyse the results you get back and present them to the business in the context of what they expose the business too. THAT IS THE VALUE.
No Ongoing Structure
This happens a lot and generally goes along the lines of :
- Purchase Simulated Phishing Product
- Simulate your users to death in the first few months
- Never touch the product again
Not implementing a proper plan that links to your overall Security Awareness programme limits the effectiveness of the exercise.
Templates Are Too Easy To Spot
If you run purely templated attacks on your users you will find that the response rate is really low. This is because they are easy to spot and your staff are so accustomed to receiving them that they will brush them off.
That’s not to say that you should not utilise them, but they should be part, and not the whole of your Simulated Phishing efforts.
What Risk Does This Expose The Business To?
When the above approaches happen then the risk to a business from a real phishing attack becomes far greater. That is because the business gets lulled into a false sense of Security because:
- The exercise has not represented the real risk to the business
- There is not the correct level of understanding what the potential impacts could be
- Remediation actions are not taken into account
- No ongoing strategy for Security Awareness and Simulated Phishing
Of course, this is not the case every time but more a cautionary note of some of the projects that I have personally seen.
Running a successful programme for Simulated Phishing is pretty straightforward with some simple steps…