NCSC: Businesses are too often 'seduced' by the attractive lure of phishing tests

Abstract image of a fishing hook through a red email to represent a phishing attack
(Image credit: Shutterstock)

The UK’s cyber security authority has warned businesses not to become ‘seduced’ by the attractiveness of issuing phishing tests to staff.

Part of GCHQ, the National Cyber Security Centre (NCSC) claimed most implementations rarely offer “an objective measure” of an organisations’ defences and can “just end up wasting time and effort”.

It said phishing tests offer a metric to show improvement in one specific area - such metrics are “extremely difficult to come by in the security space” - but organisations need to look beyond the core results to glean any meaningful insights from tests.

Making general assumptions about an organisation’s skills at spotting potentially harmful email campaigns based on a company-wide test may not truly indicate employees’ cyber readiness.

“The risk of living or dying by this single metric is: what happens when you make the test emails more sophisticated, for example, to test spear phishing? This will do terrible things to your click rate,” said ‘Kate R’, sociotechnical security researcher at the NCSC in a new blog post.

“You can get any result you want by adjusting the emails you send out, which is hardly an objective measure of your defences. And if you are on the receiving end of a metric that shows a vast improvement, you should be asking some very probing questions about how the simulation was designed, because it is likely that the emails are just too obvious.”

According to the authority’s latest guidance, an effective phishing test will only be achieved if it is designed in a way to answer a very specific question.

An organisation may want to test if a specific department which previously scored poorly on phishing tests has improved over time, for example.

Designing phishing tests for a specific purpose, and communicating the thinking behind them to staff, may also have a positive impact on their reception, too.

Phishing tests are often bemoaned by employees across a company and in the very worst cases can elicit angry responses when designed insensitively. A report published earlier this year also revealed that IT staff have been found to be especially prone to failing them.


Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities


They do hold play an interesting role in an organisation's cyber security training programme, though. Phishing remains one of the most common forms of cyber attack that lead to a range of dangerous outcomes such as the installation of malware and ransomware, or an opportunity to steal data.

The importance of phishing tests is regularly questioned in the cyber security industry and even the NCSC said it’s unreasonable to expect staff to remain vigilant to malicious emails at all times, given the volume most people receive every day.

“Responding to emails and clicking on links is an integral part of work,” said ‘Kate R’. “Attempting to stop the habit of clicking is not only extremely difficult, but is it what you want?

“Asking users to stop and consider every email in depth isn't going to leave enough hours in the day to do work.”

Organisations have been advised to examine and implement the NCSC’s official guidance on preventing phishing attacks which focuses on a multi-layered approach.

The authority encourages organisations to adopt four layers of mitigation strategies which include implementations such as anti-spoofing controls to make it more difficult for attackers’ emails to reach end users.

It also encourages making reporting tools for suspect emails quick and easy to use, as well as implementing two-factor or multi-factor authentication across the organisation.

The NCSC also advised against blaming users for failing phishing tests for a number of reasons. It doesn’t help anything and undermines the relationship between staff and IT, too.

Training can be both effective and agreeable, beneficial to both sides, the authority said. It recommended adopting more creative methods such as encouraging staff to create their own phishing emails.

It could provide a less domineering way of training staff over issuing tests that are designed to catch them out. Often when tests are failed, staff have to take time out of their day to complete mandatory training and this can cause some upset.

“Whatever you do, remember that no training technique will get your users to recognise every phish. It's also essential that you don't spend your entire budget on training when you need to invest in multiple layers of defence to build a solid defence against phishing.”

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.