Many companies use simulated phishing tests to train employees on how to identify phishing emails. These tests involve sending employees emails that look like real phishing attempts, and then seeing if they click on malicious links or attachments. However, a growing chorus of voices, including a Google security manager, argue that these tests are outdated and may be doing more harm than good.
Why Simulated Phishing Tests Might Be Failing
There are several reasons why simulated phishing tests might be ineffective:
- They create a negative perception of security. Employees who are constantly bombarded with fake phishing emails can become annoyed and distrustful of the security team. This can make them less likely to cooperate with real security initiatives.
- They don’t accurately reflect real-world phishing attacks. Simulated phishing tests often have to bypass a company’s existing security defenses to work. This means that they may not teach employees how to spot the kinds of phishing emails they are most likely to see in their inboxes.
- They don’t guarantee improved security outcomes. Studies have shown that simulated phishing tests do not necessarily lead to a decrease in the number of successful phishing attacks.
A Better Way to Train Employees
Instead of simulated phishing tests, companies should consider using more transparent and informative training methods. This could include:
- Sending out emails that clearly identify themselves as phishing simulations. These emails can still teach employees how to spot the hallmarks of phishing attempts, without the negativity associated with being tricked.
- Providing employees with resources for learning more about phishing. This could include articles, videos, or online courses.
- Encouraging employees to report suspicious emails to the IT security team. This helps the security team stay up-to-date on the latest phishing tactics.
The Final Takeaway
The goal of cybersecurity training is to empower employees to protect themselves and the company from cyberattacks. Simulated phishing tests can be a stressful and ineffective way to achieve this goal. By adopting more transparent and informative training methods, companies can create a more security-aware workforce without resorting to deception.