Defense in Depth
Are Phishing Tests Helping or Hurting Our Security Program?

​​Are we missing the point with phishing tests? We know attackers will just craft better messages to get clicks. So how can we make our own testing more meaningful?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Dennis Pickett, vp, CISO, Westat. 

Not all education requires tests

Educating users about phishing isn’t a pass-fail experience. Viewing it as such is missing the point. "Abandon viewing phishing simulations as tests. They are immersive education opportunities. The goal shouldn’t be on the organization’s click rate, but rather the organization’s resilience as measured by the ratio of the number of employees that report the email. Driving that reporting culture can be the difference," said Rohyt Belani, former CEO of PhishMe. That reporting culture can only be effective if employees know and trust where to go. As Jonathan Waldrop, CISO, The Weather Company, explained, "The best way to protect against phishing attacks, is to give your employee base clear guidance on how to escalate when they do accidentally click. And to be clear, nobody should be fired for admitting they made a mistake. If your security strategy relies on one person not clicking, you're doomed to fail."

Understand your users

Avoid using phishing tests to derive a single metric for the company. Instead, use it to enrich how you understand your employees. "Phish tests are measurable, and I’d like to see them used for risk scoring of users, with associated permissions, rather than ‘send to a website for a learning experience.’ Track those who read your intentional emails, attend your webinars, and care about security. They are natural champions for the cause and act as the human sensors who will report issues you want to know about," said Gadi Evron of Knostic. David Jones of RxBenefits echoed this advice about finding your security champions, saying, "Don't condemn the ones that click, but celebrate the ones that report them."

Building reflexes

Staff will become more engaged with phishing if they have an understanding of what happens next. Show people the stakes to make them invested in secure behavior. "We are finally accepting that humans aren't the last layer of defense. In my career I've done live-hacking demonstrations that showed users what happens ‘after the click’ and it was far more engaging and effective than my phishing sim program was. Let's accept the fact that users will click, just like users will plug in USB, just like users will lose devices, and build a support system around those behaviors," said Jason Hoenich of Arctic Wolf.

An ounce of prevention

The biggest issue with a phishing test is its existence presupposes a failure. While it’s critical to defend in depth, let’s not lose sight of trying to stop the failures that let phishing messages through in the first place. "I'd rather take the pressure off the employees by implementing proactive security controls that prevent the phishing email from getting in the first instance. Isolate all web content to the network (or WFH). While phishing awareness training is great, it does put unnecessary pressure on employees," said Sunday McDickson Samuel of SMSAM SYSTEMS.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our other unwitting contributor, Thomas August of AltaMed Health Services.

Listen to the episode.

Thanks to our podcast sponsor, Concentric AI

Super Cyber Fridays!
Join us next Friday, 09-27-24, for “Hacking Alerts”

Join us next Friday, September 27, 2024, for “Hacking Alerts: An hour of critical thinking about triaging the deluge hitting your SOC.”

It all begins at 1 PM ET/10 AM PT on Friday, September 27, 2024 with guests Itai Tevet, CEO, Intezer and Russ Ayres, deputy CISO & head of cyber, Equifax. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Intezer

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Mike Rosen, CISO, ZwillGen.

Thanks to our Cyber Security Headlines sponsor, Conveyor

LIVE!
PREVIEW: CISO Series Game Show LIVE in Washington, DC 10-2-24

We are just a few weeks away from TWO exciting events in our nation's capital, Washington D.C.

Monday, September 30th, 2024: CISO Series meetup. This is a FREE event happening at the Fairmont Hotel in Georgetown. It all starts at 5:30 PM ET.

REGISTER here.

Tuesday, October 1st, 2024: The launch of FAIRCON24, a two-day conference all about on risk management and risk quantification hosted by the FAIR Institute. It's also happening at the Fairmont Hotel in Georgetown.

Get your tickets here. Use our discount code CISOSERIESFC24 to save 30%!

Wednesday, October 2nd, 2024: On the second day of FAIRCON24, join us for CISO Series Game Show at 4:15 PM ET (I know the video says 12 PM ET, but the time just switched). David Spark will be the host, and we'll have Anne Marie Zettlemoyer, fellow, National Security Institute competing against Michael Levin, former deputy CISO, 3M.

Thanks to our sponsor, Safe Security

LIVE!
CISO Series Podcast LIVE in Los Angeles (10-09-24)

CISO Series Podcast will be returning to Los Angeles to do another live audience recording of our show with ISSA LA. Joining me on stage will be two CISO Series all-stars we've had on our other shows: Cyrus Tibbs, CISO, PennyMac, and Sasha Pereira, CISO, WASH. Here's everything you need to know:

WHAT: Live audience recording of CISO Series Podcast at the ISSA LA Cybersecurity Summit 2024 (Event specifics here)

WHERE: Annenberg Beach House, 415 Pacific Coast Hwy Santa Monica, CA 90402

WHEN: October 9, 2024 the event goes from 9am to 6pm. We'll be closing out the show at 5:00 PM.

COST: Tickets start at $33.85. Get them here.

Thanks to our sponsor, Nudge Security

Cyber chatter from around the web...
Jump in on these conversations

"Best site or aggregator for Threat Intelligence?" (More here)

"How do you see bug bounty as a recruiter ?" (More here)

"Difference between a "fresh" SOC analyst and somewhat experienced SOC L1" (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.