Podcast transcript: Are phishing tests a waste of time?

Podcast transcript: Are phishing tests a waste of time?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Are phishing tests a waste of time?. We apologise for any errors.

Adam Shepherd

Hello, I'm Adam Shepherd,

Rory Bathgate

And I'm Rory Bathgate

Adam

And you're listening to the IT Pro Podcast. This week, we're going phishing.

Rory

Cybersecurity is a constant battleground for businesses of all sizes. But despite the fact that it's one of the oldest attack methods on record, phishing is still among the most consistently successful techniques in the hacker arsenal. Many countermeasures have been deployed to try and curb the effectiveness of phishing attacks, from email filtering, and firewalls, to multifactor authentication. And simulated phishing tests conducted on employees is one of the more popular methods.

Adam

This isn't always popular, though. And there have been multiple examples of employers drawing the ire of staff through tactless or ill judged phishing tests. Joining us this week to discuss the value of phishing simulations, what companies get wrong about them, and how security teams can implement them better is Paul Watts, distinguished analyst for the Information Security Forum. Paul, it's a pleasure to have you with us.

Paul Watts

Pleasure to be here, Adam. Thanks for having me.

Adam

So, Paul, phishing tests are one of those things that seem to crop up again and again, both in best practices and in horror stories. And it seems like phishing tests go wrong, in some ways, more often than they go right. So why is it that everyone seems to hate phishing tests?

Paul

Well, I suppose the pertinent question is, is everybody hate phishing more than they hate phishing tests. And I think what it comes down to is, look, you know, the world of business and commerce is, is getting quicker, it's not getting slower. But people don't have time to stop and consider. Phishing is something that's been around for a long, long time, I think, you know, most big, big incidents that I come across, phishing is somewhere in the middle of it, somewhere being implicated. It plays on a fundamental nuance, which is people will be people. People don't like to be caught out either. So you know, to your introduction, you know, being caught out by a legitimate phish, you call yourself a victim, being caught out by a phish that is part of an exercise, you call yourself a very different victim and you take umbrage at the company that's actually trying to do the right thing by you, but has maybe gone about it the wrong way. And I think what that comes down to Adam is, it has to be part of a bigger programme of security awareness and actually part of culture, the culture of the organisation, to build and foster that, that that security awareness within everybody who works there.

Rory

Part of this building up of a culture, what kind of ethical considerations do you think organisations are tending to include when they're designing phishing tests? Last year, we had the example of West Midlands train line, quite a public example of them sending out an email, promising employees a bonus for all their hard work over the pandemic, which turned out to be a phishing test. And this caused quite a lot of condemnation. I know the TSA spoke out on it, TSSA, sorry. And employees were weren't best pleased to have been tricked with the promise of a bonus. So do you think consultations with employees should be going on? Are they going on?

Paul

Well, I mean, it's, it's an interesting question. And I do recall the story. And, you know, I'd be lying if I said, I, I haven't been implicated in a couple of phishing exercises that might be maybe cut it a little bit close. But you know, you've got to have a sense of emotional intelligence, you've got to understand how your business is thinking and feeling. You know, and there are some areas where you, you probably shouldn't venture. But what I would say is this, phishing plays on, you know, the significance of social engineering to threat actors. And unfortunately, social engineering plays on basic raw human emotions. You know, if we're in the times of austerity, and people are counting the pennies, and you know, we're very much in that place now. What's the threat actor going to do? It's going to dangle a carrot, you've just got a tax rebate from HMRC, you're just about to be awarded the bonus. Now, if anything is going to lower somebody's guard, it's going to be something like that, that plays on basic human emotions. So it's the perfect prescription for an effective test of the employee's ability to detect a scam email or a phish. But you do have to balance that with a little bit of emotional intelligence as well. So you know, timing is absolutely everything but threat actors don't think like that. So you know, it's it's swings and roundabouts, which is a bit of a flippant thing to say, but yeah, read the room I think is the thing you take away from that.

Adam

Yeah, cause I think think, you know, there is certainly an argument to say, well, you know, the people carrying out these attacks aren't gonna, you know, be sensitive or play by the rules or, you know, be be tactful about their attacks. And so we should kind of when we're running these simulations, we should adopt the same kind of mindset. But that does kind of, particularly in cases where phishing tests are kind of using bonuses or some kind of financial incentive as a as a hook to get that click, I think there's possibly an argument for balancing that by saying, like, Okay, everyone who got caught by that as a kind of consolation prize, if you like, you know, maybe there's, I don't know, a small value gift card, let's say, as an apology, almost for having that, that kind of arguably tactless, kind of dangling of a bonus.

Paul

I think to be honest with you, a lot of employees might just take that as a bit of a slap in the face. You know, as a security leaders will know, sometimes you're damned if you do and you're damned if you don't. So, I think actually, the best approach is, you can't do you can't do phishing simulation exercises in isolation. It's the point I made earlier, but what I would actually be doing is be starting with those conversations with the business to say, look, the the cold hard fact here is that people who are out to get a rise out of you are going to play with your emotions, they're going to use things that are close to your heart. You know, when we were all in lockdown, we were all using couriers more and more than we ever had before. So you know, injecting those phishing emails to say, Oh, you've got a parcel waiting for you at the Post Office. It's just, it's just easy to catch people out. And just prime people for the fact that, you know, sometimes you're going to get these emails that are going to play on your sensitivities, and just get them ready and situationally aware, then you can test that resolve through simulation exercises and using similar MOs to those of your threat actors. But I do come back to, you do need to win the hearts and minds of your workforce as well. So you need to choose your scenarios just a little bit carefully and a little bit considerately. But I stress the point and it's important to make your workforce aware of this; threat actors do not care about you. They want your credentials, they want your money, they want your access, and they want what you know, they will stop at nothing to get that. This is a multi million dollar crime environment that we're working in. And it's easy pickings. It's not going away anytime soon. So you know we have a duty of care to educate, but we have a duty of care to educate empathetically and sympathetically.

Rory

On that note of really educating employees with basic awareness of phishing emails. A recent F-Secure study into 80,000 professionals in different business sectors revealed that IT staff are just as if not more likely to fail internal phishing exercises at work. Maybe a surprising statistic, what do you think is the cause for this?

Paul

It's not surprising at all. It comes it comes back to exactly what I said before. If you push the right buttons in the right order, anybody can fall for this, even IT people and you know, I've run I've run cross organisational exercises before. And IT have been up there, depending on the attack. I mean, I'll share an example of a bit of a pivot from from that one, Rory, but one of my most favourite phishing campaigns or simulation exercises we did was we wrote to all of the senior leaders to say, your Avios miles are going to expire in the next few days. It was an absolute frenzy. The PAs were mustering to, you know, login and spew their details into this because God forbid, you're going to you're going to take an exec's airmiles or airline privilege away from them, just comes back to exactly what I said, you know, you press the right buttons in the right order, and people will lower their shields and they will fall for it. And this is why it's so important to build a culture of situational awareness. And I'll give you a parallel like I was talking about this in the office a few days ago actually. So from a very, very young age we are we are given you know, moral, social and ethical cues about how to stay safe in a physical world. You know, don't talk to strangers, don't go out at night, yada yada yada. We don't do that in a digital world. So the current workforce is playing catch up a little bit. You know, it's like that metaphor of taking your eight year old daughter and throwing them through the doors of an East End pub and not thinking that's going to end badly, you know, we haven't made those translations. So at a very early age, that situational awareness of the dangers of the digital world, are just not just not baked in. So there is something that needs that needs to happen much more earlier in, in the education of our children. That doesn't help the current problem. But it's interesting that we don't, we don't take the time to stop and evaluate a situation that we find ourselves in. It's like the old adage, if it sounds too good to be true or not true, then there's probably something to look at that. And that's when the training should kick in. Look at the characteristics of the email, you know, is the language right? Is the grammar right? Are they addressing you by name, although, you know, phishing campaign actors are getting quite clever. Now they're blending, you know, more personal information to add a degree of authenticity. But if it's a rudimentary, very basic phishing attack, it should be relatively easy for somebody who's had a modicum of training to know and spot the clue that something's not quite right. And it's at that point, you pick up the phone to the security team, or you press the button on your on your email that says, I think this is a phish or a spam, and you let your support teams help you understand whether that's right, or whether that's wrong. So a bit of a long answer there. But it's a really interesting point, that.

Rory

No, not at all. Not at all. And you think that IT teams maybe have, they're more vulnerable, because they think that they are better equipped to deal with phishing emails.

Adam

Overconfidence, perhaps.

Rory

Yes.

Paul

Well, again, it comes it comes down to you know, the crime tenets: means, motive and opportunity. So you know, if IT people, if you're on the outside looking in, you're trying to penetrate an organisation. So let's say that we are a, you know, we're looking for an initial access into an organisation, targeting the IT team could be an obvious choice, because it's likely that they have a high degree of privilege, they have the ability to move laterally around the estate, so why would you not target them, you then come back to, and again, I'm making sweeping generalisations here, what are the sorts of things that IT people are into, maybe they like a bit of sci fi, you know, maybe they like a free ticket to Comic Con, maybe they'd like this, maybe they'd like that. So you can craft those campaigns, and target them. And I guess, actually, we should take a step back here and think about the characteristics of certain phishing attacks. So you have the widespread what I call spray and pray attacks, which are generally quite easy to spot and flush out, then you have you have attacks that are slightly more narrow banded, where a bit of research has gone in, you know, as I said earlier, there might be blending a bit of personal information that they've been able to, to acquire, to have the authenticity, and then you go all the way to the you're a targeted a targeted victim, you've been heavily researched. And that's your spear. Now, depending on each one of those, depends on or in some way go to how little or how much effort is being put into these emails, to make them as authentic as possible. All of these things, when you when you bring them back, and you look at them for what they are, there are a number of characteristics that you can spot and all you want your employees to do is just spot that one thing that's like, I don't think this is quite right, I'm going to call this out. But But yeah, I mean, you know, IT people are just like, you know, senior leaders, or finance people, or, or contractors. You know, everybody has a very specific value proposition to a threat actor, and you'll go after them in the way that you need to to get them to respond to you. Remember, you can send out 100,000 phishing emails, you only need a couple of those to come back and you've made your money back and then some,` you know, it's easy money, depending on the motives and what you're trying to get out of the attack, of course.

Adam

So, Paul, you've mentioned a couple of times that phishing tests need to be part of a wider security strategy and part of a wider kind of security awareness and education kind of roadmap. At what point should an organisation look at carrying out phishing tests, if that's something that they that they want to do? Is it something that kind of comes fairly early on in the process? Is it kind of something that organisations should approach maybe slightly later? Or do you even bookend the process with phishing tests as a kind of, you know, progress measurement tool?

Paul

It's a really interesting question. I mean, if you if you deconstruct what a what a security culture programme would look like, you'll first of all really need to understand the baseline. You know, where does the organisation stand right now, you know, are people, has the organisation historically taken a bit of a stick approach to it, now this is annual manual training, you know, do it or you'll be kept in after class on your or are they starting to have those progressive conversations with the business already? Understanding what the key messages are that you want to convey and you know, if I was to pick something out of the air, you want everybody to realise that security is everybody's responsibility. It's not the problem of the CSO. It's not the problem of the security or the IT teams. It is literally everybody's responsibility, that's quite important. You need to take the fear, you need to celebrate failure as well as success. And this is this is where actually a good intercedes for CISOs security leaders to be having with their board is near miss reporting. You know, it's easy to talk about the number of incidents, but more valuable is talking about the times you nearly got caught and celebrating that. And building on that, and that culture that actually, you know, the right thing to do to be celebrated is to call out when you think something's happened, or you responded to something that you perhaps shouldn't have done, or you're in any way uncertain. To know that you can do that without fear of reprisals, or recriminations or punitive actions is absolutely critical, you can then start to think about what are the most specific threats to your organisation right now, and then focus on those conversationally, phishing is always going to be up there. So the time to do phishing campaigns and phishing education, I mean, I would be picking that up as a core topic. But testing the resolve of your staff is something that you need to do, once you've had those prerequisite conversations, and you've kind of primed that audience. If you don't do that, then there's cries of entrapment, you know, and that's when you're driving the relationship in the wrong direction. And the last thing you want is an adversarial relationship between security teams and the employees, you want this to be collaborative. And on that actually, worth mentioning now, I see a lot of benefits. Some organisations have got great value from gamifying this, actually, you know, make it a little bit fun. But equally, what you've got to do is get it right. Because if you do this too much, or make it too fun, you can desensitise so people then actually aren't taking it seriously as well. So there is a real balance to be had here, in terms of when you get this right. So I think it just in short, in answer to your question, I think it's, it's it's one of those that you would do as a priority, but not without a foundational level set of what the expectations are of the organisation and that, that the start of that conversation about situational awareness; I think that's fundamentally important to any campaign.

Adam

Yeah, because one of the big issues with phishing tests, and one of the things that I think tends to annoy a lot of the workforce, is when it feels like phishing tests are a kind of gotcha moment, you know, and that the IT team is kind of trying to catch them out which in in some ways, you know, they they can be, but it shouldn't feel like 'Aha, you rube, you fell for it' kind of moment. It should be a learning experience. And it's hard to have that if the organisation isn't aware that this is a possibility.

Paul

Yeah, it's a good, it's a good call, actually, and the size of the organisation and the topology can play a part. So if you're in an SME with maybe 60 employees, and everybody knows each other, and you've got that, that that camaraderie that you don't necessarily get in a big multinational, then you can have a bit of fun with it, because you can, you can see across the organisation, and you can read the room and see how people are reacting in real time. If you do that 'aha gotcha', and it's a 40,000 strong, 45 country organisation, humour, sentiment, language and mood does not necessarily translate that well across international boundaries. And that's when you're probably getting yourself in into trouble. Some organisations have got around that actually, by using security champions. So you know, regional advocates for security, and regionalizing, their, their campaigns and their simulation exercises, so that you can have a local focal point for people to respond and feed back. So yeah, you know, the company size and dynamic and the politics of the company can play a part as to what can work and what doesn't work, if that makes sense.

Rory

So we've talked a lot about what not to do with a phishing test, maybe how not to upset employees, and the kind of things that companies should be aiming for. But what makes a really successful phishing test?

Paul

Good, that's again, a very, very good question. And without naming any of the vendors, you know, the big mail protection companies are really, you know, really in this space. A really good phishing exercise can come from really understanding the types of mail and the types of conversations that that business are having. And, and, yeah, what you're starting to find now is, is a number of vendors who are playing in this space, leveraging telemetry, of mail throughput, the characteristics of mails that people are receiving, and they're using that to craft very, very specific and relevant examples of phishing campaigns that really resonate with the types of emails that people genuinely generally get within the organisation. But also doing that in a closed loop way. So as you run those campaigns, you're also able to measure the efficacy, the click back rate, you know, the intercept, the intervention rates, and then use that information in a subsequent campaign to just tighten it up. So you can then have those broad spectrum attacks where you're where you're, you're looking to test the entire organisation. And then you can focus very specially crafted attacks in particular departments like finance, for example, have to deal with, you know, wiretap fraud and CEO fraud, business email compromise type frauds all the time. So you can focus and customise the training. I mean, it's come on a hell of a long way from, you know, the days when I was first doing it, where you just had a bit of a one trick pony, and everybody got the same email, and that customization and that targeting and then that closed loop reporting and analytics makes it a really, really powerful proposition. So I think the output from one test needs to input into the next test and vice versa. What I would also say is that you share the output, desensitised and anonymized, you share that with the business. So you can all learn together, that's really, really important. I think those are the component parts of a really good campaign. But it all has to be brought together by this is plugging into a bigger agenda of culture and awareness of the fact that we're trying to support our our organization to stay safe and secure, really. So I mean, that, you know, there are other examples, but you know, that would be a good start. The other one, actually, while I think about it is, depending on the depending on the characteristics of the email, what you can do with some of these, these phishing simulation platforms is if somebody interacts or clicks on a link, as you can signpost them to very specific, you know, like a 30-second vox or video that just gives them some immediate feedback, that can be quite useful sometimes. But I have seen it be quite counterintuitive. So seniors don't like being distracted. If they're kept trying to rapid fire, clear their inbox in the morning, get caught out, and then have to go and watch a 30-second video can drive the wrong response. But I'd argue that actually it's important that they hear there and then you just got caught out. It was that simple. This is what you could have done differently. And they just need to suck it up, you know, and you need, you need a senior leadership team that are prepared to support you. Because there's always going to be a dissenter, who's not going to like your approach and you need them to support you, to say this is damn important for our organisation's longevity, and security. So, you know, we're all in this together, make it a collective learning journey you can all enjoy.

Adam

So on the subject of click throughs, then, and in relation to taking everyone on that journey. What should security teams be shooting for in terms of click through rates? Is the ideal scenario, a phishing campaign where the click through rates are zero? And nobody's, you know, nobody's getting caught out? Or is it a campaign where actually the majority of the organisation is, is getting caught out in order to use that as a kind of demonstrating tool? Or is it kind of somewhere in the middle?

Paul

It's a really interesting question. I've come I've come across it a few times, actually. It's hard to put an explicit number on that would be a benchmark for any organisation.

Adam

Of course.

Paul

Obviously, the panacea is to is to have no click back. But I think that's an unachievable target. If I'm if I'm brutally honest with you, and you know, we, we practice defence in depth in order that we have the countermeasures in, in the event that you know, something does slip through the net, and you have to expect and anticipate that; you're never going to reach panacea. I think if you're starting, if you're very early on in your campaign, your first phishing simulation exercises are almost going to set a baseline. And it's not unusual to see an average click back rate of 15, 20, sometimes 25%. And you will see spikes. So you will see standout teams that are hitting a 40% click back rate, you have to recognise as well, that percentages can be awkward. So in a team of three, only one person's gotta let you down, that's 25% right there, but you can have, you know, 10,000 people in 100,000 strong, that's just 10. So you have to watch the statistics. Once you've got that baseline, then your ambition is to start to manage that number down. But but manage that number down in a controlled way, you know, don't say right in in 12 months, we're gonna go from 20, 25 to 5%. Is that realistic? I don't know. But once you can start to establish a trend and see how that number is trending down, then you can start to set aspirational targets. The short answer is yes, you want it as low as possible. Zero is unachievable. But too high, you know you you need something to aim for that that's that's realistic otherwise people just get disheartened, don't they? But one of the things I'd say as well with phishing, one of the one of the downsides of simulation exercises is it's impossible to keep up with the threat actors, you know, they are changing their their attacks, methodologies on a on a daily basis. So your, your 15% click back rate today might be the 50% click back right tomorrow. And it doesn't mean that anybody's attitudes or approaches are different. It just means the threat actors have raised their game, and you've got atocourse correc, and you've got to match pitch really, really quickly. So, you know, I wouldn't get overly hung up on those targets. But it is good to have something to measure to just to track your performance. And as I said, celebrate those successes and those failures as an organisation. I think that's that's really important. Have that transparency.

Adam

So let's talk for a second about the emails themselves that are used in phishing tests. Because I feel like there's often a trend with kind of business and enterprise phishing simulations, to use the fact that, obviously, because it's being conducted internally by the business, there is a lot of information that can be drawn on to create those, a lot of internal context. But I would argue that in some cases, that is not the most, the most prevalent phishing threats the employees are going to be facing. And for a lot of the organisation, it's going to be the, as you termed it, the spray and pray attacks that are maybe less targeted, but a lot more numerous. Would you would you say that kind of over crafting your phishing simulations can kind of risk those kind of less sophisticated ones almost flying under the radar?

Paul

I guess the answer is it depends on the organisation. So if you were in a particular sector or vertical market, where you had a nation state target painted on your back, the chances are that the the craft, the tradecraft that would be used to create those potential spears or phishes would be very heavily researched, and would probably have a semblance of, of organisational context. So in those cases, you know, those, those more crafted phishing exercises would be hugely relevant. I think when you're thinking more broadly about general phishing, and the thing that I always try and do when I'm doing culture change in organisations is, is try and give it the personal touch. So sometimes it's good to walk away from the corporate agenda, and just talk about people. So if I, if I, if I think about, you know, an organisation and I think about the people who work in an organisation, when they're at home, what sort of emails, phishing emails, are they getting on their personal email accounts? You know, it's going to be the, you know, the, the one from the mail company, it's going to be the one from the famous retailer, it's going to be the one from the, from the government, you know, all those things that are pushing their, their buttons. If you see those coming through on your corporate accounts, two things to think about. One is, yep, spray and pray, that should be relatively easy. But two, it comes back to that point I made earlier on, which is, from a social engineering perspective, just give yourself the opportunity to stop and pause and reflect and say, why would that retailer be mailing me at work? I have at no time, at no point, had any relationship with that retailer in my work life. So there's immediately, your spidey senses should be triggered there. So I think your point is well made. And I think depending on the circumstances in the threat landscape for your particular organisation, you might want to go quite heavily crafted. But I wouldn't, I wouldn't shy away from the kind of the broad banded spray and pray style ones that should be relatively easy. And what you're trying to get out of your employees is to just kind of stop, you know, they just need that one little spidey sense that goes, t`hat's not how my name is spelled. Or normally, when I get an email from that auction site, they refer to me by my name, now they're just saying dear customer. And as most phishing training will tell you, you know, if it's depersonalised, that's generally a cue, and a clue that something might be amiss. So I think just in short, you need a bit of a blend, depending on who you are. Yeah, really signifies where you will go with specialist, you know, attacks. I think more relevant is specialist attacks on particular groups within the organisation to be honest with you, and that that's where you have to think about supply chain attacks using phishing as a leverage and so on and so forth. You need a balanced mix of all, public and private.

Rory

So you've talked about, on some level, the response that an individual team running a fishing test should have after the test is over. If I can dub it as such, you sort of talked about a holistic response, how tests should be crafted for the individual set, the individual teams within an organisation, but the results should be quite open, quite transparent so that everyone can can learn from the experience. And I guess more generally, following on from that, you've just finished a phishing test. What's your next move? What What immediate action should a team take after the results have come in?

Paul

Depending on the granularity of the data, you get back, there's a couple of things that you're looking for. I think you're looking for deviations from the previous time you ran it, you know, any particular trends in an upward or downward direction, I think that's quite important. Depending on how granular the data is going, you can go looking for the repeat offenders, this is where it starts to get a little bit sensitive, because you're then kind of giving up the, wll, we know when Joe Bloggs has failed or passed a phishing exercise. And we will use that that information to help them on their learning journey. And I use those words very carefully, because it has to be helping them on their learning journey. I've heard stories, horrible stories of organisations where they will say, right, this is strike one of three, if you get strike three, then it's a performance management issue. If you get strike five, and we're talking about, you know, dismissals, that's that's a terrible way to use it. But, you know, I think you do need to be looking for those spikes, looking for those trends. And equally, the characteristic of the of the simulation that you just ran may be some clues. So if the people in your organisation are more vulnerable to phishing emails that look like they're coming from the finance sector, or from the banks or from, you know, the regulator or from the state, then you can, you can iterate your training and give very specific examples about, you know, a bank will never ask you for your pin number ever, ever. So if you get an email, ask you the PIN number, never never, you know, so you can start to kind of shape and, and give more pointed advice dependent on what the campaign is telling you. And as I said earlier, you know, you should, you should be feeding the output of those exercises as the input into into the next one, I think the injector that comes in from the side, as I said earlier, you know, threat actors are very agile, and they change their game very regularly, as well, you need to be thinking about that as well. So, you know, we go through a, we go through a phase when people are just after, you know, carding, they just want people to put their pan numbers in and the expiry date and their CV. But we went through a phase quite recently, where we were back to, you know, heavy duty high velocity credential theft, where it was, we'll just stick up a, you know, a spoof login page to to a popular, you know, social networking site just to just to capture people's credentials, which we can then, you know, take to the dark web and sell on or do things like so. So that, you know, the, the motives and the aspirations of threat actors do change from time to time, and that will have a bearing and a relevance on on your style and approach of phishing exercises that you do on an ongoing basis.

Rory

And it's taking that data and then using that to inform the next test and just progressively tests better each time.

Paul

Yeah, it's, I don't think it's particularly useful to take each test in isolation, because you know, done the right way, you're, you're you're trying to use phishing simulation exercises as a way to measure the progressive change in awareness and culture within the organisation. And you'll blend it with other other forms of testing, you know, it's, you know, you might, you might do some red team testing, you might test the physical perimeter of your organisation, you might do USB drop tests, where physical media is dropped in proximity of the organisation to see whether they appear and get mounted in devices in the organisation. But all of these tests need to come together to paint a picture as to how situationally aware and savvy an organisation is over time, in conjunction with inherent risk profiles, current threat landscape and anything else, all these all these variables that keep changing, that's why it has to be an ongoing conversation and not something that you just do to tick a box and drive a number down from A to B, that's not changing the culture of a company, I talk a lot about something I call the illusion of compliance. All right, so if an organisation is doing phishing exercises, just to tick a box to be able to demonstrate to a regulator or an ISO auditor, that they're doing something to train their staff; that's not going to help you a jot, you know, and that that is illusionary so being able to tell your board that you do eight phishing exercises a year and you and you share the results with blah, blah, doesn't mean doesn't mean anything. If it's not part of a bigger picture, and I think we may have said that already, but we didn't talk about the don't use this to tick a compliance box. You're you're you're it's a fallacy. You're just cheating yourself.

Rory

So In a way, buying into software or tools that also can assist in phishing tests without a clear strategy, and without a clear plan is a bit like buying the most expensive camera to be the best photographer, you need that intent or that strategy behind it.

Paul

Yeah, I think you're bang on; exactly that. If you can go and buy the best, you know, phishing simulation platform in the world, but it has to be part of something much bigger, it alone doesn't cure or solve your problem. And that's, that's, that's significant. It's like things like, you know, buying a buying a product that will give you zero trust. Of course, we know that's absolute BS, but an organisation thinking, Well, I can tick that box and say, I'm a zero trust organisation, because I've just gotten bought that piece of software that says it delivers it, you've got to see the bigger picture. You know, it's, it's not something that you, it's not a problem that you can fix by just buying a piece of software. That's the bottom line.

Adam

Yeah, you can't buy security in a can.

Paul

No, no, it's just not a thing. That's, that's, that's, that's an important, and we used to talk about this, a lot on the, the, the IT Pro Panels, you know, when you, when you're looking at security holistically, you have to be applying people, process and technology controls, if you were ignorant of any one of those three, you are leaving bullet holes in your resolve. And an even if it means that you've still ticked all the regulatory boxes, and you can have your like, lovely ISO 27,001 certificate, you can put in the lobby, and everybody's happy about it, you know, deep down as a CISO, you've missed something quite significant. And it's only a matter of time before someone comes in, then it's a really difficult conversation where they say, Well, Paul, you spent $250,000 on this phishing simulation exercise, yet, we got sucker punch with a phish and our intellectual property got stolen out of the development environment, I'm just gonna, well, case closed Your Honour, because then has not alone solve the problem. And neither should you ever say it will. And funnily enough, this is, this is where a lot of CISOs are getting quite agitated at the moment. I'm seeing this more and more on social as well. I don't know if you're seeing it through IT Pro, but CISOs are getting a little bit tired of snake oil. You know Gartner, Gartner'll drop a buzzword like zero trust - this isn't a dig at Gartner, by the way, I actually quite like Gartner. You know, they'll drop a buzzword, bullshit bingo, they'll drop something like zero trust, and then everybody will scram to that going our product will give you zero trust. And then they try and sell that to the execs because they know they can't sell snake oil to the security leaders. And then the executive say, Well, I think we should just go and buy that, and it's just just causes more problems than it than it solves. It has to be a holistic, has to be done holistically. If only I could just buy a product that fixed security. Well, I'll be out of a job. So maybe not.

Adam

Well, on that note, I think we are sadly going to have to wrap up this week's show. I'm sure we could talk about this all day. But I'm afraid we are out of time. However, I would like to thank Paul Watts from the Information Security Forum for taking the time to join us.

Paul

Thanks very much. Great, great to chat; really interesting topic.

Rory

You can find links to all of the topics we've spoken about today in the shownotes and even more on our website at itpro.co.uk.

Adam

You can also follow us on social media as well as subscribe to our daily newsletter.

Rory

Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, leave us a rating and a review.

Adam

We'll be back next week with more insight from the world of IT but until then, goodbye.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.