Ethical and Effective Phishing: What Are the Security Benefits?

In the last two years, many organisations have reduced their office footprint and transitioned to hybrid and remote working. It was a process that had begun before COVID-19 but was accelerated by government responses to the pandemic and inspired by the continuing maturity of cloud technology.

This trend is likely to continue in 2022. CIPD figures suggest 85% of employees want to split their working hours between their home and office. And our own independently commissioned research suggests over three-quarters of UK mid-market companies believe hybrid working is likely to continue within their organisation. Furthermore, 79% believe investing in technology to support hybrid working will help attract and retain talent.

Many employees will enjoy the benefits of a hybrid working regime, such as cutting their daily commute down to just two or three days a week. But cybercriminals will also be celebrating. Homeworking exposes businesses to more threat vectors and reveals shortcomings in even the best arsenals.

Viewed in this context, perhaps it’s no surprise that our research found that over a third of IT decision-makers in UK mid-market companies feel strongly that they need to increase security across their collaboration tools this year.

Cybercriminals seem to love phishing attacks. They can leave businesses unable to trade for months at a time and – in extreme cases – can force permanent closure. Unfortunately, no organisation in any industry is immune to a phishing attack.

Phishing attacks account for 36% of data attack cases. Furthermore, ransomware attacks have increased by 148% since the start of the pandemic, and they’re most likely to be delivered by phishing emails. But help is at hand: Running regular ethical phishing simulations is a proven way to identify potential security vulnerabilities. 

How Do I Get Started?

Phishing awareness training offers a reality check for tech and security teams and plays an essential role in ensuring business resilience. Most companies start with a phishing simulation test, which involves the IT department setting up a fake phishing email and targeting the workforce. This real-life test of employee responses to potential scams provides security managers with practical steps to bolster network security. 

Setting up and running a phishing simulation 

1. Organise a guided session to build cybersecurity vigilance and engage employees.
2. Create an email account for employees to report suspected phishing scams.
3. If you don’t have a full-time CISO (Chief Information Security Officer), get support from an experienced third-party cyberthreat expert to create valid and ethical scenarios that won’t seriously impact employee wellbeing.
4. Set up a monthly simulation schedule. Don’t make it a regular occurrence (i.e., the first Tuesday afternoon of the month), or it will become predictable.
5. Select random target groups in rotation to give you the best chance of keeping the simulation a secret and getting a natural response.

Keep it ethical

Phishing simulations have raised ethical questions, but businesses can run them without causing any distress or embarrassment to employees if they’re managed sensitively. Always avoid the following scenarios:

• Stay away from personal life or health issues as they’re far too sensitive. Instead, keep the scam proposition professional.
• Don’t ever use an employee’s name or image. Employees should not be referenced or implicated.
• Avoid references to potentially sensitive news stories. This could negatively impact your test and cause undue emotional stress.

Getting Maximum Impact

Remember, the initiative aims to build confidence among workers. So, if employees have a positive response to the simulation – whether they fall short or pass – you can consider your simulation to have been effective.

For this reason, post-testing evaluation is crucial. If users suspect they’ve been duped by a phishing scam, they may feel embarrassed, ashamed, or fearful of disciplinary action. These responses could discourage future tests or engender negativity towards an employer. For this reason, best-practice follow-up should include each of the following:

• Confidentiality — Never disclose data relevant to the testing process.
• Transparency — Inform employees about the test once completed and assure them their responses are confidential.
• Clarity and empathy — Actively engage and empathise with employees who didn’t pass the test, remaining unbiased to communicate where they fell short.
• Strategy — Follow-up with advice and practical next steps to support employees.
• Pragmatism — The tests aim to fine-tune user skills and reduce human error, so be prepared to take action straight away if a fail demonstrates a definite need to improve your security software.

When we spoke to IT decision-makers, they expressed worry about finding the IT budgets they need to achieve all their aims this year – 61% said their budget would need to increase, but only 13% expected that it would. However, almost two-thirds said they plan to make increasing and strengthening security a top priority.

It’s clear there’s a widening gap between what IT decision-makers would like to do and what’s practical and affordable. Running regular phishing simulations is a positive and inexpensive way to tackle the growing cybersecurity threat without needing significant budget injection. In the event of an attack, it could make the difference between a regular day in the office and a momentary lapse in judgement that brings operations to a grinding halt.

By Gregg Mearing, Chief Technology Officer at Node4.