NCSC: Businesses are too often 'seduced' by the attractive lure of phishing tests
The debate around the importance of phishing tests in cyber security rages on but businesses need to be careful if they decide to embrace them, the UK's cyber authority has warned
The UK’s cyber security authority has warned businesses not to become ‘seduced’ by the attractiveness of issuing phishing tests to staff.
Part of GCHQ, the National Cyber Security Centre (NCSC) claimed most implementations rarely offer “an objective measure” of an organisations’ defences and can “just end up wasting time and effort”.
It said phishing tests offer a metric to show improvement in one specific area - such metrics are “extremely difficult to come by in the security space” - but organisations need to look beyond the core results to glean any meaningful insights from tests.
Making general assumptions about an organisation’s skills at spotting potentially harmful email campaigns based on a company-wide test may not truly indicate employees’ cyber readiness.
“The risk of living or dying by this single metric is: what happens when you make the test emails more sophisticated, for example, to test spear phishing? This will do terrible things to your click rate,” said ‘Kate R’, sociotechnical security researcher at the NCSC in a new blog post.
“You can get any result you want by adjusting the emails you send out, which is hardly an objective measure of your defences. And if you are on the receiving end of a metric that shows a vast improvement, you should be asking some very probing questions about how the simulation was designed, because it is likely that the emails are just too obvious.”
According to the authority’s latest guidance, an effective phishing test will only be achieved if it is designed in a way to answer a very specific question.
An organisation may want to test if a specific department which previously scored poorly on phishing tests has improved over time, for example.
Designing phishing tests for a specific purpose, and communicating the thinking behind them to staff, may also have a positive impact on their reception, too.
Phishing tests are often bemoaned by employees across a company and in the very worst cases can elicit angry responses when designed insensitively. A report published earlier this year also revealed that IT staff have been found to be especially prone to failing them.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilitiesFree Download
They do hold play an interesting role in an organisation's cyber security training programme, though. Phishing remains one of the most common forms of cyber attack that lead to a range of dangerous outcomes such as the installation of malware and ransomware, or an opportunity to steal data.
The importance of phishing tests is regularly questioned in the cyber security industry and even the NCSC said it’s unreasonable to expect staff to remain vigilant to malicious emails at all times, given the volume most people receive every day.
“Responding to emails and clicking on links is an integral part of work,” said ‘Kate R’. “Attempting to stop the habit of clicking is not only extremely difficult, but is it what you want?
“Asking users to stop and consider every email in depth isn't going to leave enough hours in the day to do work.”
Organisations have been advised to examine and implement the NCSC’s official guidance on preventing phishing attacks which focuses on a multi-layered approach.
The authority encourages organisations to adopt four layers of mitigation strategies which include implementations such as anti-spoofing controls to make it more difficult for attackers’ emails to reach end users.
The NCSC also advised against blaming users for failing phishing tests for a number of reasons. It doesn’t help anything and undermines the relationship between staff and IT, too.
Training can be both effective and agreeable, beneficial to both sides, the authority said. It recommended adopting more creative methods such as encouraging staff to create their own phishing emails.
It could provide a less domineering way of training staff over issuing tests that are designed to catch them out. Often when tests are failed, staff have to take time out of their day to complete mandatory training and this can cause some upset.
“Whatever you do, remember that no training technique will get your users to recognise every phish. It's also essential that you don't spend your entire budget on training when you need to invest in multiple layers of defence to build a solid defence against phishing.”
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download