Phishing your own users is a controversial topic, for sure, but, in my humble opinion, you’ll have no better gauge for how your institution will fare than getting results from an exercise like this. Whether you perform the phishing exercises yourself or use a third party, the results will be beneficial.
I know a lot of you are thinking that this won’t go over well. We don’t need to be finger pointing, or making people feel bad about falling for phishing messages.
What needs to happen is we need to consider changing the messaging about why you’re performing the phishing tests. We’re not doing it to single people out. We’re doing it to understand how well our training is working. We’re doing it as part of our incident response testing. We’re doing it to provide another avenue to learn about phishing in a controlled (i.e. safe) environment.
Think of this like you think of fire safety. We all know about smoke detectors, egress points, fire drills, etc. We know about this, because through regular exercises and messaging, we’ve greatly enhance fire safety to where without even thinking, we know what to do when we hear a fire alarm.
We can learn phishing safety the same way. Perhaps announce the specific date and time window that the drills will occur (like you do with fire drills). Get people in the habit of knowing and understanding the way phishing messages work to help them build success on how to react appropriately to phishing messages. Be sure to reward the ones that do well and also reward the ones that put in the right effort. For the ones that miss the mark, determine how you can get better or different training in front of them, not just more training. In the end, it makes more sense to for them to learn about the dangers of phishing in a controlled environment without experiencing an actual loss.
Let’s make the world more secure.
