In the ever-evolving landscape of cybersecurity, one practice has become almost ubiquitous: phishing tests/simulations. Organizations deploy these tests with the intention of fortifying their defenses, but I genuinely feel that constantly bombarding users with phishing simulations is a waste of time. Yes, this view may be seen as controversial, but I wanted to take a moment to explain why I feel phishing tests might not be the panacea they are often touted to be.
Phishing Tests: A Mirage of Metrics
Phishing tests can be a great and easy way to pad numbers and falsify metrics. While many campaigns are designed to be challenging, a significant number are blatantly obvious, leading to user fatigue. When users become accustomed to recognizing the tell-tale signs of phishing tests, they might start to miss the real threats.
Consider this scenario: an employee receives numerous phishing simulations, most of which are so poorly disguised that even a cursory glance can reveal their nature. Over time, the employee’s vigilance diminishes. They spend more time looking for the obvious markers of a test rather than scrutinizing emails for genuine threats. This focus shift can result in real phishing attempts slipping through the cracks, as users become desensitized to the constant barrage of tests.
The inflated sense of security created by high ‘success’ rates in phishing tests can also lead to a dangerous complacency. Organizations might believe they are effectively mitigating phishing risks based on these skewed metrics, but the reality could be starkly different.
The consistent theme you will see me say is that the emphasis should be on the quality of user education, and reducing impact, rather than the quantity of phishing simulations.
The Misguided Focus on the Perimeter
Not just related to phishing, but there is an overemphasis on preventing breaches at the perimeter. The mindset that can organization cannot be breached is fundamentally flawed. The question is not whether an attacker can get in, but rather how far can they go once they are inside, and do you have the visibility and awareness to know when and if it happens.
Human behavior is unpredictable and cannot be codified. Users, no matter how well-trained, can be busy, overwhelmed, or simply have an off day. A sophisticated phishing email can slip through the cracks and be clicked on. Instead of focusing solely on preventing the initial click, the focus should shift to what happens next.
When a phishing email does get clicked, what safeguards are in place? How quickly can the breach be detected and contained? Many organizations do not have robust answers to these questions because they are too focused on the initial perimeter defense and relying on the metrics of their phishing simulation platforms. Real security lies in layered defenses, monitoring, and rapid response mechanisms.
Reducing Impact, Not Preventing the Click
The ultimate goal in regards to phishing should be reducing or eliminating the impact of a phishing attack, not striving for the impossible task of completely preventing the click. To truly prevent users from clicking on malicious links, organizations would have to disable the ability to click URLs in websites and emails – a solution that is impractical for the vast majority of businesses.
Instead, focus on building a resilient infrastructure. Implement strong endpoint protection, maintain rigorous access controls, and ensure that there are effective monitoring systems in place. Educate users not just on identifying phishing emails, but also on what to do if they suspect they’ve fallen victim to one. Encourage a culture where employees feel comfortable reporting potential breaches without fear of retribution.
By shifting the focus from preventing every single click to minimizing the impact of those clicks, organizations can build a more robust security posture. This approach acknowledges the inevitability of breaches and prepares the organization to respond swiftly and effectively.
Conclusion
Phishing tests, while well-intentioned, can often lead to a false sense of security and user fatigue. The focus on perimeter defense is outdated in the face of sophisticated threats and/or user error that can and will breach initial defenses. Instead, organizations should prioritize reducing the impact of breaches and building a resilient, layered security approach.
Ultimately, the goal is to create an environment where users are aware and vigilant, but not overwhelmed or desensitized. By doing so, organizations can ensure that they are truly prepared for the inevitable clicks and the threats that follow.