If I had a penny for every time someone said to me “let’s measure our security culture by phishing our staff” I’d probably be able to fill my car up.
It’s a really easy thing to do, you carry out some online training and typically they come with phishing simulations as a free or low cost add on. On the face of it that sounds great, train staff to spot phishing emails and they will be much better prepared to take up the mantle of defending your organisation. It sounds like the perfect solution, There's a problem though, it's Not.
The training is fine. Online training these days is much better than it was. The advice provided and the convenience of being able to train an almost unlimited number of staff at the same time, and get metrics for the all-important audit commitment is perfect.
But now your supply chain, clients, and senior staff all want more than just a tick box exercise. Breaches still happen in companies that have training. So how do you actually measure your staff’s cyber culture? Enter the phishing test. Send some simulations and those that fail to spot the phish get more training and hopefully they pass next time and your numbers of failures go down.
Now you have stats that show the training is working… only it isn’t. All you are doing is training your staff to spot simulated phishing attacks. As I client once told me, one of their IT admins worked out how to spot the phishing from the technical data and simply wrote a script to report it. That clearly doesn’t that mean that person is better placed to prevent a real phishing attack.
This is not demonstrating a cyber aware culture.
What about how to set good passwords, what about stopping vishing or smishing attacks, what about preventing physical attacks or detecting fraud, or highlighting potentially high-risk practices, etc. None of those are measured with simulated phishing.
So how do we effectively measure our security culture?
There are many ways you can gain strong statistics that show your culture of security awareness is changing. The most effective method is to carry out a Cyber Human Baseline and culture mapping exercise from our partners Cybermaniacs. Run this before, during and after your campaign to understand how your baseline of cyber awareness changes throughout your organisation over time.
Some other options to consider are:
This is just a small list, there are many other ways you can measure cyber culture, each are unique to your organisation.
One thing that is clear though, is that phishing is a terrible metric for measuring cyber culture.
If you want to discuss more about improving your cyber culture reach out to us or get me direct on Twitter @tonygee.
The post Stop using phishing as a measure of your cyber awareness culture first appeared on Pen Test Partners.