Most companies run some form of phishing simulation exercises, but how successful are these and do they have the desired effect on reducing the risk of successful phishing attacks?
Whilst they are a great way to identify how susceptible employees are to social engineering attempts, you may be left with a sinking feeling that you should be doing more.
Let’s be frank, hosting an annual Phishing Simulation won’t have a transformative impact on your security culture.
One-off tests set a baseline to understand where your firm stands in terms of resiliency and risk profile. But if your goal is to reduce human risk and build a strong human firewall, an annual phishing test is not enough.
Phishing: The statistics and risks for your businesses
*News flash* We all know that phishing emails are on the rise, but let’s hit you with some statistics:
- Phishing is the most common form of cybercriminal activity for UK businesses, 83% have been targeted by phishing scams.
- Whaling attacks using executive impersonations increased by 131% from the previous year in 2021.
- 59% of organizations say an executive has been targeted for whaling attacks, 46% of these executives have fallen victim to these attacks.
- Stolen or compromised credentials were the primary attack vector in 19% of data breaches this year.
- More than 80% of reported cyber incidents are tied to phishing attacks, most of which are delivered through email.
Businesses are targeted with endless attempts to compromise sensitive information. Ranging from the poorly constructed scams to the convincingly authentic.
From spear phishing attempts, to dodgy attachments claiming to be a pay rise notification or “password expired” messages directing to a ‘Office365’ phishing site.
Sounds all too familiar, right?
Unfortunately, there is a common misconception that phishing scams are easy to identify and that only less technically savvy employees will fall victim.
But with more than 80% of reported cyber incidents tied to phishing attacks, this is far from the reality.
From our own experience of conducting simulated phishing attacks, we see first-hand that many employees don’t initially identify phishing campaigns. It is not uncommon for us to see a high volume of clicks from users, who then go on to enter credentials.
Whilst you may assume these are from staff with non-technical roles, this is not always the case.
Are your phishing simulations enough to counter the threat?
Infrequent phishing tests are not enough to counter the evolving threat of phishing attacks.
Here’s why:
1. You need to keep it fresh: Without regular, engaging cyber awareness training, your team are unlikely to keep the threat of phishing attacks fresh in their mind.
2. Lack of reporting processes: Without established processes in place, your users won’t know how to respond when they receive email-based threats. Frequent phishing training can re-enforce the habit of reporting phishing attempts.
3. You don’t know where you stand: Sporadic assessments don’t provide a realistic picture of where your business stands in terms of resiliency. It will be a point in time assessment, with no data to compare against or improve on.
4. Not enough data: Regular phishing testing leads to more data points to analyse. Phishing simulations can then be adjusted to your teams’ level of cyber awareness, giving a more realistic understanding of human risk.
5. You need to test against current threats: Hackers are constantly changing their tactics to take advantage of current events and hot topics. They also create more sophisticated scams to trick users. Phishing scams and training needs to be tailored to the latest threats, to see how your staff respond to them.
Cyber Security is a team sport
Many employees still foster the mindset ‘Cyber Security is IT’s responsibility’.
Without the proper messaging, phishing simulations will reinforce this and alienate your staff from engaging in your security agenda.
In recent years, phishing simulations have come under fire, with many questionings how ethical they are and if the negatives outweigh the benefits.
If tests are not communicated in a constructive manner, it can create distrust and influence company morale.
The key to prevent this is to:
- Eliminate blame culture, it shouldn’t be about catching your employees out.
- To keep your team on side, there needs to be willingness to teach instead of tell.
- Reinforce the mantra that Cyber Security is a team sport, it’s not a siloed function managed by your IT team.
- Empower your team, they are at the frontline of your defences. Help them understand they play a crucial role in keeping your brand safe.
It’s not easy to turn the weak link in your security strategy into an asset, but it can be done. It won’t happen overnight, but with an established awareness programme you can make it happen.
How can you do more to protect from phishing?
The Webroot SMB Cybersecurity Preparedness report found that whilst 100% of businesses train their employees in cybersecurity awareness, only 39% provide an ongoing testing and education programme.
The continuous nature of cyber-attacks requires frequent testing and phishing awareness training tailored to your risks, business processes and employee awareness level. You can’t rely on spam filters and periodic training.
But with the right programme, your employees can stay abreast of the latest threats and be armed with the knowledge to remain cyber-safe in the face of sophisticated social engineering attacks.
The problem is that traditional simulation and training programs can be too generic, they don’t provide relatable narratives which contextualise cyber risks. This results in low engagement and knowledge retention.
Some of your most cyber-savvy employees will detect phishing, but the key to creating a human firewall is to transform your security culture from the bottom up. To achieve this culture shift, requires continual learning, behavioural change and long-term progress reporting.
Phishing tests need to be tailored to the awareness level of each user. As your employees master one phishing simulation, you can advance the difficulty of the next one. This way, you can measure their awareness and improvement over time, and rank your firm’s cyber maturity level.
Reduce the risk of phishing: Do you want to take your phishing programme to the next level?
Phishing continues to be one of the biggest security risks for businesses to tackle. Research has shown that one-off phishing simulations are ineffective at reducing phishing attacks. However, they can be useful when used on a regular basis as part of a broader strategy.
A Security Awareness Training programme will allow you to measure awareness, identify areas of improvement and set plans in motion to develop your cyber maturity over time.
Are you looking to develop or improve your current Phishing Awareness Programme?
If you would like to chat to our team of experts, you can call us on 0121 663 0055, start a live chat or email enquiries@equilibrium-security.co.uk.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.