Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
A good security culture is critical for any organization because as the old saying goes, you’re only as strong as your weakest link. Finding that weakest link and strengthening it then is seen as crucial. And that’s why we need to talk about phishing tests.
Because rather than fostering a strong security culture, phishing testing can sometimes have a detrimental impact on your employees security awareness as well as their morale. All too often phishing testing adopts a ‘gotcha’ approach, followed by ‘punishment training’. Our recent Security Cultures Report found that only 33% have had a positive experience with phishing simulations, and 18-24 year olds are 2-3x as likely to have had a bad experience. So when we saw this tweet, we were hardly surprised.
It’s by no means an isolated incident.
How NOT to run phishing exercises #infosec pic.twitter.com/m4icf9KUrZ
— Jackie Singh (CISO at ANTIFA) (@HackingButLegal) December 17, 2021
Look, I can be as vigilant as I can, but at the end of the day, it feels like the entity sending me the most phishing emails is MY OWN company, constantly sending them as tests to try to trick us.
— Brian Gray 🪩🥂💖 (@urbanbohemian) June 27, 2022
Meanwhile this example from GoDaddy in 2021 seems particularly mean spirited. It’s not entirely unrealistic to expect some sort of corporate comms like this from their own internal team during the holiday season.
Dysfunctional security culture
These are classic examples of a dysfunctional security culture. The result: total fear and paralysis in the workforce that is actually affecting their ability to do their work. Work that brings in real revenue. Stopping phishing attacks by effectively shutting down the company’s ability to function normally can’t really be considered a win.
As we’ve discussed before, you can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases. It’s almost an unconscious muscle memory with some people.
It also has a cost to employees’ mental state, which, given the past two years, is probably already quite fragile – after all, no one should be publicly humiliated and lose their job for clicking a phishing test link.
It’s not just Dave in the Accounts team that this can happen to, even IT experts can fall foul, as this other thread on Reddit explains – look at why though… “I was just coming after lunch, joggling a few important tasks in my head and when I unlocked my laptop there were 20 new emails, so I tried to quickly skim through them”
In short, they were distracted.
Mistakes happen
Phishing tests and security training more generally, delivers a poor ROI for CISOs and InfoSec teams. Security training is expensive, both in the cost to organize and run it, and the cost to the company more broadly from taking staff away from what they should be doing. It’s also… often boring, on a par with doing a tax return.
What’s more, after just one day people forget more than 70% of what was taught in training, while 1 in 5 employees don’t even show up for SAT sessions. And this is despite some companies’ best effort to make it ‘fun’.
After anger comes apathy
IT can fix technology but it can’t fix apathy, but that’s where people more than likely end up after phishing training. This can result in a drastic drop in responsiveness and employee effectiveness.
Thanks to research by Dr. Karen Renaud and Dr. Marc Dupuis we know that unleashing fear, uncertainty and doubt on a workforce doesn’t work. It cripples decision making, creative thought processes and the speed and agility businesses need to operate in today’s demanding world.
What does a good security culture look like?
Our 2022 Security Cultures Report found that although security leaders are prioritizing training (85% of employees in the US and UK participate in security awareness programs) just 36% of them say they’re fully paying attention. And while half (50%) do say it’s helpful, only 28% say it’s engaging. 36% say it’s out-right boring.
Perhaps that’s why 1 in 3 employees don’t even understand why cybersecurity is important, and nearly 30% don’t think they personally play a role in maintaining their company’s cybersecurity.
Look, we’re not down on phishing testing per se. If done right as a research exercise it can provide valuable insights and data points for your organization as part of a much broader suite of security measures.
But what we are down on is victim naming and blaming. Technical tests like phishing testing should be an opportunity to better train and tune your companies filters and defenses, not used to punish your people. A user failure is, uncomfortable as it may be to hear, really an technical failure – because that phishing link should never have even got in front of a person in the first place.
Internal phishing tests are misaligned with their intended outcome. Too often we use the metric to beat users over the head, when we really should be using the data to tune curriculum. The test should identify vulnerabilities, not fix them. https://t.co/a13rQ6q2sF
— Brian Anderson (@btanderson72) June 23, 2022
Why ‘in the moment’ training works
How did you learn to swim? I bet you didn’t sit through an hour long presentation about it once a quarter, watch a video, then do a ‘fun’ quiz. You got in the water and worked things out ‘in the moment’. Your senses and instincts flagged potential dangers like getting out of your depth or diving too deep. Good security training is the same.
Training people away from their day to day working environments removes the connection between the danger, and where that danger is experienced. When Tessian detects a threat like a spear phishing email, employees see a warning message that they have to respond to. It’s written in plain English, and offers context around why the email was flagged.
It takes time and effort to develop a robust security culture that everyone subscribes to. That’s hard work when you’re fighting several other issues and problems. In order to foster and maintain a risk-aware workforce, security teams should play an active role in onboarding, offboarding, and day-to-day. This is especially important now, with remote and hybrid operating models being the norm.
But, according to our research, security leaders underestimate just how much they should be a part of the employee experience. But not doing so has an exponential negative impact on the organization which could result in a successful attack. Our 2022 Security Culture Report is a good place to start your journey to a stronger security culture. Download it here.
