The IT Pro Podcast: Are phishing tests a waste of time?

The IT Pro Podcast: Are phishing tests a waste of time?

Phishing remains one of the oldest and most persistent attack methods for hackers trying to break into an organisation, and potential targets continue to use simulated phishing attacks as one of the primary ways to ensure their staff are ready to defend against it.

However, these spoof attacks aren’t always well-received, and employees can frequently feel unfairly trapped or caught out by these tests. Appearing on this week’s podcast to discuss why phishing simulations are often so poorly received, the value that they offer as part of a wider security strategy and how organisations can deploy them more effectively is Paul Watts, ex-CISO, former IT Pro Panellist, and distinguished analyst for the Information Security Forum.


“I'd be lying if I said I haven't been implicated in a couple of phishing exercises that might be maybe cutting it a little bit close. But, you know, you've got to have a sense of emotional intelligence, you've got to understand how your business is thinking and feeling, and there are some areas where you probably shouldn't venture. But what I would say is this: phishing plays on the significance of social engineering to threat actors. And unfortunately, social engineering plays on basic raw human emotions.”

“One of my most favourite phishing campaigns or simulation exercises we did was we wrote to all of the senior leaders to say, your Avios miles are going to expire in the next few days. It was an absolute frenzy. The PAs were mustering to log in and spew their details into this, because God forbid you're going to take an exec's airmiles or airline privilege away from them! It just comes back to exactly what I said; you press the right buttons in the right order, and people will lower their shields and they will fall for it.”

“It's easy to talk about the number of incidents, but more valuable is talking about the times you nearly got caught and celebrating that. And building on that, and that culture that actually, the right thing to do, to be celebrated is to call out when you think something's happened, or you responded to something that you perhaps shouldn't have done, or you're in any way uncertain. To know that you can do that without fear of reprisals, or recriminations or punitive actions is absolutely critical; you can then start to think about what are the most specific threats to your organisation right now, and then focus on those.”

Read the full transcript here.




ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.