Cybersecurity, at its root core and definition, hinges on defending and protecting oneself, or an organization, from the criminal, unauthorized use of private electronic data or information and the measures utilized to accomplish this.

Many organizations (companies, schools, financial institutions, etc.) have become too reliant on technical defense systems. A recent CSOonline.com article focused on why anti-phishing strategies are failing.

The main finding? Companies aren’t training their employees to spot sophisticated phishing emails. Without a comprehensive phishing training approach centered on phishing testing and phishing simulation, there will always be gaps in the armor.

While remedial training for failing a phishing simulation can seem intuitive, timing comes into play and must be considered by every organization of every size and type. An employee who fails a phishing simulation on a busy, stressful day is different from an employee who clicks on a fraudulent link during a smooth, easygoing day.

Remedial phishing training can, in fact, have an adverse effect if the employee simply hurries through the perceived annoyance to their day as opposed to learning from the mistake.

Assigning phishing training in addition to scheduling phishing testing and phishing simulation provides a holistic cybersecurity training awareness approach and is more likely to yield positive results.

Another example of a false representation of the impact phishing training can have on an organization is the phishing test failure rate. If employees are presented with easy phishing simulations and all employees pass the phishing test, has there truly been an improvement in the ability to spot a real phishing threat?

On the other hand, if well-designed, timely, topical phishing simulations are delivered to employee or staff inboxes, and the failure rate is high, has there truly been an increase of risk at the organization level compared to the easier phishing simulation?

A baseline phishing test must be conducted at varying levels of difficulty to determine the true susceptibility of an organization to the threat presented by a real phishing attack.

With a baseline as the guiding light at tiered difficulty levels, conducting phishing simulations to compare to the baseline numbers will provide a better picture of risk present.

By solely relying on technology to detect harmful emails, identify them, and then quarantine for inspection, the door is left open for a sophisticated attack to target single employees from seemingly “legitimate” email domains.

Some of the highest industry failure rates we see on lower difficulty phishing simulations include some of the most “well-protected” sectors. Financial institutions, healthcare organizations, and insurance agencies are conditioned to believing their systems are impenetrable. With that mindset, despite being heavily armored, a cybercriminal is able to thread the arrow through the gaps and hit the desired target.

In addition to phishing training and phishing simulation, employees must be incentivized to report suspicious activity and enforcement of policies must be adhered to to enhance overall security posture.

If you aren't currently providing phishing testing and phishing training to your employees, we can assist with setting up a tailored, curated program designed to fit your needs. If you are currently testing and training your employees, we can provide free access to our platform for the remainder of your current contract period with any signed agreement for our Professional or Enterprise plans.