I would probably fill my car with petrol if I could get a penny for each time someone told me to “let’s assess our security culture by phishing staff”.
It’s easy to do. You just need to complete some online training. Usually, they include phishing simulations as an optional or free add-on. It sounds fantastic. Train staff to spot phishing email scams and they’ll be better equipped to defend your organization. This sounds like the ideal solution. But, there’s a problem.
Let me explain
It is excellent training. Online training is far more convenient than ever before. It is easy to get the right advice and metrics for your audit commitment.
Your supply chain, clients and senior staff now want more than a check box exercise. Companies that provide training are still prone to breaches. How can you measure the cyber culture of your employees? The phishing test is your best bet. Send some simulations, and those who fail to spot the scammer will be given more training.
You now have statistics that prove the training works, but it’s not. You are simply training your staff how to spot fake phishing attacks. One of the IT administrators at the company was able to identify phishing attacks from technical data, and then wrote a script that would report them. This doesn’t necessarily mean that they are better equipped to stop a real phishing attack.
This does not mean that we are cyber-aware.
How to create strong passwords? What about stopping vishing and smishing attacks? How about preventing physical attacks or fraud detection, or how to highlight high-risk behaviors? Simulated phishing is not used to measure any of these.
How can we measure security culture effectively?
It’s important to do it right
You have many options to gain solid statistics that will show how your security culture is changing. Cybermaniacs partners offer the best way to get strong statistics. This exercise can be done before, during, and after the campaign to see how your cyber awareness levels change over time.
Other options to consider:
- Track’report an phish’ notifications. An increase in these notifications suggests a culturally-aware staff
- Track suspected security incidents. Again, a rise in incidents is usually a positive sign.
- Monthly optional ‘lunch-and-learn’ sessions can be held on related cyber topics (such as IoT security and personal privacy). Track the attendance – more people each month indicates a more engaged staff
- Establish a cyber champion program, have regular meetings, and ask your champions on the ground to share their sentiments.
- Audit your password strength – record how your password strength improves over time
- Track the completion of your online cyber-training platform
- Reward those who report breaches. An increase in rewards can indicate a change in culture.
This is a very small list. There are many ways to measure cyber culture. Each one is unique to your organization.
It is obvious that phishing is an ineffective metric to measure cyber culture.