Is your Phishing First awareness strategy losing steam?
Let’s go back to basic concept of learning. Examinations in schools, colleges follow the lessons & learning, and not the other way round, right?
Do you train first or test first?
This is an easy answer. High quality learning is achieved by informative and interesting lectures, followed by examinations to test the learning. Phishing is nothing but an examination – the question employee is asked here is “are you able to protect organizational assets or not?”. No one in the world would think about first testing their employees and then basis their failure ratio, train them. It just does not make sense.
However, in practice many organizations are using this approach. Including large organizations with thousands of employees.
But why? This could be answered in simple terms – because someone came up with this brilliant thought process of “why focus on high quality awareness for all employees? The smart people are not a risk to the organization. The not-so-smart ones are – so let’s phish them out, and then train only those targeted people”.
Moreover, the primary reason organizations may have adopted this vendor-pushed phish-first approach is that they want to stay green during audits – apparently a tick-in-the-box compliance activity. While fundamentally nothing wrong in this approach, ethically it doesn’t stand much ground as it’s quite an unequitable way of treating employees.
Additionally, some vendors smartly window dressed their sales strategy by calling this whole process “phishing awareness trainings”. This is analogically similar to the concept of examination-based learning. And what is examination-based learning? It’s a methodology prevalent in developing countries where rote-learning (definitions et al) is forced upon students pushing them to score high marks in examination – learning be damned! We’ve all been victims of it, and this has got to change.
Employees are human beings, with emotions, feelings, diverse attitudes, behaviors, and moreover their lives are influenced by different triggers.
If a person fails a phishing simulation test on a particular bad day that he or she might be having – it does not mean that person is not-so-smart.
To that person, already failing a phishing test is embarrassment in itself, the worse you can do is assign (manually or automatically) the very training on a particular threat vector that the person failed to recognize. Is it possible that this individual might feel more resentful about being singled out?
Is this making that person more secure for the organization? What if the actual phishing event was a different threat vector?
It's no one’s guess that he or she may falter again.
Is this strategy really helping the culture of an organization become more secure? The best it could do is probably instill fear in few employees, "I-care-a-damn" attitude in the rest, but definitely not a stay-safe-online culture.
We all need more love, inclusivity and caring, rather than fear and embarrassment.
In my recent conversations with real employees here is what a tenured employee had to say about a phishing campaign run in his organization using a top global vendor “You know what – I have been around for 2 years here, so I can easily understand if an email is a phishing one or not. However, the new joiners are taking the bait easily, and it’s fun to watch them take these trainings – we laugh about them during our lunch time”.
This points to two main issues – firstly the tenured employee is getting a false sense of security, and secondly the new joiner has to go through embarrassment and isolation. I don’t think this should be the intention of conducting a phishing simulation campaign at all.
Beyond simulated phishing via emails.
So, what about other prefixes we are merrily adding to “phishing”, such as smshing, quishing, vishing, and so on. I have noticed simulated phishing through these continuously evolving threat vectors are being sold as add-ons. That too even in a place like India where legally you can’t use telecom providers’ network or mobile numbers to do mock calls without proper documentation. Organizations are willing to take these on, considering “Oh we will be more compliant than before”.
Recommended by LinkedIn
And this act misses the whole point - when you actually think beyond regular Phone Calls, SMS, Whatsapp, video calls – there are many more ways in which social engineering actually happens.
Listing out the most common ones – Zoom call, Google Meet call, Quora, Facebook messenger, Telegram, YouTube, many Online forums, Instagram, Snapchat, Moj, etc. Remember all these apps are used by corporate employees as well on their personal smart phones. The worst of social engineering attempt can happen through a gaming app messaging tool – a latest emerging threat where a player on a popular Rummy platform was a victim of social engineering & responsible for data breach. How would you cover these aspects in your phishing-first strategy? More add-ons?
Picture this – throughout the year you are phishing employees using different modes - via email, phone call, SMS, WhatsApp, Video Call, and more! How would that employee feel?
I've come across a publicly available RFP from a leading Indian bank outlining the above modes in which their employees should be phished, as part of their "phishing simulation needs." It seems absurd and doesn't align with common sense. Senior leaders might argue it's for compliance, needed to pass audits. Sure, simulations are necessary, but not in their current state, form, or sequence.
So - what’s the solution?
First things first. In the right order of things - learning comes first and then simulated phishing.
Roll out a fair, and equitable awareness campaign through a continuous learning program which is not based on emails, power points, boring videos that spurt out AI-spoken definitions.
They neither engage the audience, nor provide them with quality learning.
We are currently in the vicious cycle of extremely poor learning & simulated phishing. What is needed, is a virtuous cycle that breeds security culture. Most organizations fail to get engagement on their security awareness trainings. Your first priority should be to get engagement.
Once you are sure you are getting 100% engagement and coverage on your awareness program, only then - run a phishing simulation exercise.
And don’t get tricked into buying phishing simulation software based on buzzwords such as AI-driven templates. Also, try not to get over-sold on how beautiful the reporting dashboards look. A tool is a tool is a tool.
If you see a simulated phishing tool that has at least 7 templates for a festival that falls on 14th January in India i.e. Sankranti, Pongal, Khichdi, Pusna, Bihu, Uttarayan, Maghi and which also concocts a phishing email basis the local cultural nuances & emotions – go for it.
If not – then you are really not simulating well.
Use a “Empower first – Phish later” approach to consistently build security culture of your organization. If you want to know how we can help – contact us at support@sybernow.com
Visit our website www.sybernow.com for more blogs related to cybersecurity culture, security awareness to mindfulness related topics.
- by Pooja Shimpi & Sameer Gemawat
Associate Director @ PwC | Naval Veteran | Risk Consulting | Cybersecurity | CISSP | CCSP | AWS SAA | MBA(ITSM) | ISO 27001 LA
10moA great article Pooja Shimpi 🧿 You seem to have nailed it perfectly. Absolutely concur
Info Systems Coordinator, Technologist and Futurist, Thinkers360 Thought Leader and CSI Group Founder. Manage The Intelligence Community and The Dept of Homeland Security LinkedIn Groups. Advisor
10moGreat thoughts Pooja
CISSP
10moIf someone is aware, it doesn’t mean that he/she cares. Finding a right way to close in the Knowledge-intention-behaviour gap, is the perfect recipe for elevating the security awareness and cultural posture of the organisation.
Project Management/PMO Consultant | Scrum Master | Cyber Security 🇮🇳 🌐 🇦🇺
10moStress testing/Pen testing similar to spear phishing? 🪝 - General observation what are the similarities if it exists any? Same observablility holds for Ethical vs Unethical Hacking!
Many organizations are using an approach where they have once-a-year cyber safety awareness training for their employees, however they perform simulated phishing throughout the year. While this works for compliance purposes, in reality - it's not making the organization any more secure.