Are Phishing Simulations a Replacement For Training? No.

Sending a simulated phishing attack is now more accessible than ever thanks to a recent update from Microsoft and the various other free offerings, and many organizations have been pushing them out for years.

Be it once a year, once a quarter, or once a month, these simulated phishing attacks both create awareness for your users and provide valuable feedback to an organization’s security team. However, can simulations on their own be a replacement for training? No. Nein. Non. Nah.

The Unscientific Results

phishlabs poll on training

Twitter may not provide scientific and peer reviewed results; however, with a diverse and expansive userbase, it does enable use to gain some quick insights into how security awareness training is conducted across numerous industries. The results above come from a week long poll that was completed by more than 1800 users and the outcomes are quite clear. Many users simply do not have training in place to combat phishing attacks (46%) or just they only get simulated phish in place of training (23%).

These results are alarming because phishing attacks result in 95 percent of data breaches, with countless dollars and private consumer data being stolen along the way. Fortunately, a total of 31 percent of poll takers have some form of security awareness training in place, but that is an excessive amount of unnecessary risk in play. The reason we didn’t group phishing simulations in with those being trained is that it’s only one small piece to a necessary culture of security to prevent breaches from occurring.

Phishing simulations are a tool or tactic, something that should be part of a larger strategy that are tied to specific organizational goals, and on their own will not benefit the company. Sure, this may be considered the bare minimum and could potentially checkoff a compliance box, but the risk isn’t worth it.

What Phishing Simulations Do

Does all of this mean that a phishing simulation isn’t a useful tool? Of course not! Simulations are fantastic for a lot of reasons, especially if they can mimic or mirror real-world threats that have targeted an organization in the past. Additionally, phishing simulations provide the following:

  • Expose users to email threats (attacks)
  • Provide immediate pass/fail feedback
  • Temporarily increase reported suspicious emails
  • Provide general data on susceptibility
  • The joy of occasionally terrorizing your staff

What Phishing Simulations Don’t Do

When building anything, be it a house or Ikea furniture, you have instructions or a plan. A single tool will help you get the job done, but without instructions you’re going to not only create an unstable and risky mess, ultimately it’s just a waste of time. The same goes for a phishing simulations. You can send as many of them to your team and users as you want, but what value are they gaining from only reporting or clicking on them? Are they getting feedback beyond a pass or fail? Are they being encouraged to report more suspicious emails? Most importantly, are they being taught how to actually spot them? I think you’ve got the hint.

At the end of the day phishing simulations are nothing more than a tool. They are a necessary element in reducing organizational risk, but without a connected strategy, education, or goals, it’s a wasted effort.

A Larger Solution

How can your organization better protect against cyber threats? A strong security awareness training program is the ideal solution. Over the coming weeks we will continue with our series that highlights the pros and cons of the various training programs that organizations put in place.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: