The topic of whether Phishing simulations hold any value has been brought up over and over again, with this recently coming back to the surface due to the a tweet from a (justifiably so) disgruntled staff member who was phished by their tech department;
As you’ll probably be aware, phishing simulations can be a brilliant tool for identifying high risk individuals within your company and directing them towards the training they need. In 2019 Cisco released a report in which it stated that 95% of all attacks against an enterprise network are the result of a spear phishing campaign, driving home the point that phishing is the largest threat most companies face.
With many mid to large sized businesses investing more and more into phishing simulation toolkits, answering whether these simulations hold any value in the modern workplace becomes a difficult question to answer, but one we’ll dive into today.
What is a Phishing Simulation?
I could sit here and try to breakdown what a phishing simulation is, but Wikipedia manages to spell it out much better than I ever could;
“Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements.“
Ultimately then, this testing is in-place to to test a companies employees to see whether they are susceptible to phishing attacks and whether this could be an avenue for a data breach. If anyone does fall for the phishing email then no damage is done and the company can work with them to improve in future.
At a high level it appears as if this is a purely positive improvement to any business, limiting their risk exposure whilst also training staff to identify malicious emails. Surely there are no downsides to such testing? Well, this is where we need to dig deeper into this contentious topic.
The Negatives
Although not something usually considered, Phishing simulations can be a double-edged sword if not carried out and managed correctly. Below are a few areas that need to be considered before pushing forward with any phishing simulations.
Cost, Setup & Training
One significant downside of these tools is the cost associated with their implementation. Phishing simulation tools often require substantial financial investment, especially for larger organizations with numerous employees. The initial purchase or subscription fees, coupled with ongoing maintenance and updates, can strain limited budgets and make it difficult for smaller businesses to afford such tools. Additionally, the cost of training staff to effectively use and interpret the results of these simulations adds another layer of expenses. Consequently, the high cost of phishing simulation tools may hinder their accessibility, preventing some organizations from benefiting fully from this valuable training method.
It should be noted that free to use Phishing Simulation tools exist and are available, however these generally do not suite the needs of some businesses due to lack of support and more technically in-depth setups.
Psychological
When carrying out simulations you need to be very careful about how you create your campaign, ensuring that if you are imitating a technique used in the wild, that technique is not going to cause discourse or make people upset when the existance of the campaign comes to light. This is where we come back to the tweet at the top of this article, this kind of test ultimately drives distrust and hatred towards your security team and although it may be a legitimate technique, will only end up harming the company more than helping it.
Complacency
Additionally, phishing simulations can also have quite the affect on staff, putting them always on edge as to whether an email is legitimate, phishing, or a phishing email. This sounds positive, but can equally have the opposite affect on certain members of your team. If you’ve been caught before and you weren’t able to figure out the difference between the real and the simulation email, why bother putting in any effort to figure it out in-future?
This can also be exasperated if a firm decides to carry out simulations too regularly, leading to staff not reporting suspicious emails and dismissing any emails that look “dodgy” as simply another test.
The Positives
So, now we’ve gone over some of the negatives, lets look at some of the positives of carrying out simulations.
Posture
Closed door simulations provide a treasure trove of data on how robust your companies security posture is and the overall likelihood of a threat actor breaching your defences. It can help identify weaknesses within your company and what areas you should be focusing on. Running these tests over the course of multiple months can give you a great insight into which users within your business may be low, medium and high risk, allowing you to instate additional controls accordingly.
In many cases High risk individuals may be provided with additional training, further security barriers on their accounts and more stringent investigations by their security teams. Doing so can reduce the companies overall threat profile, in-turn, reducing the overall risk to the company.
Heightened Awareness
The primary objective of carrying out simulations is to raise the issue of Phishing within the company and increase awareness to the techniques employed by malicious actors. In carrying these tests out we’re increasing the overall awareness of staff, ensuring that staff who may have never known what a phishing email was previously, are now acutely aware of it.
These simulations ensure that whatever your technical knowledge, background or role, you still need to keep a keen eye out for these emails. This does loop back to one of our negatives around punishing of staff members, however if done correctly, this training can be incredibly informative and may in-fact have a net positive effect.
Creating a Security Culture
This adds on to the heightened awareness, by carrying out these simulations and constantly training our staff to be aware of phishing emails, we start to create a culture of cyber security.
Staff begin to become aware of the repurcussions of clicking on phishing emails, they can see the money, time and effort being put into preventing them. Staff within the business may then start to see this as a shared responsbility, that they are an active participant in safeguarding the business and it’s assets, fostering the cyber security mindset.
This can also have the knock-on affect of benefitting your staff outside of work, providing them skills that they can then use in the real world to protect their own families and friends.
So, what’s the best solution?
This is the part where the answer becomes a bit hazey. It may sound cliché, but there’s no simple yes/no answer to this question. In the modern workspace additional factors need to be pulled into the equation, ones that go outside just the positives/negatives of simulations. A few to bare in-mind;
- Cyber Insurance
- Many insurance companies now require that you have some form of Phishing Simulation in-place before they’ll consider insuring you. I’m certainly no expert in this area, but it seems like this industry is still finding it’s feet and that in-future less rigid restrictions may be put in-place.
- Accreditations
- Certain accreditations may require you to carry out Phishing Simulations on your staff, or heavily hint that you should be carrying these out.
So what have we learned from this? Well, we now know that it’s not a simple do or don’t situation. Each business will need to get together with their team, look at their individual needs, areas of compliance and business direction to see whether phishing is suitable for them.
I know right? After all of this reading the outcome is “What works best for you”, but that is honestly the case. My personal takeaway from investigating this is that businesses need to discuss these issues more open internally, weighing up the negatives and the positives, rather than seeing “shiny new product” and hopping on-board with it without a real conversation taking place. Furthermore, insurance and certification bodies need to stop pushing the need for these tools, especially to those businesses that really don’t need this testing.