Treat your organization’s brand as a valuable asset. If you don’t are you risking damage to your brand reputation when doing phishing tests?
Some IT teams feel employee backlash is acceptable.
But, it can easily get out of hand.
We’re seeing more stories of unfair phishing tests, and tests that deceive employees enough to drive them to take unexpected and damaging actions.
This is not contributing to a healthy security culture for those organizations.
Just because attackers will stop at nothing to trick employees, does not mean your organization itself should do this.
Not only can these unreasonable tests create a negative reputation for your business, it can create real costs too.
Photo by Richard Dykes on Unsplash
“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager
Some costs that could be associated with poorly designed live phishing tests include:
- Employee backlash causing poor morale
- Employee complaints to HR that disrupt productivity in multiple teams
- Uncontrolled and unauthorized publication of internal processes
- Potential legal liabilities from impersonated organizations (e.g. IRS, Facebook, etc.)
We need to realize that our organizations will never reduce phishing or social engineering incidents to zero. Attackers will always find new ways to trick people.
What else can we do to effectively reduce phishing risks?
- Teach employees how to analyze inquiries for clues, not just “be suspicious”
- Provide opportunities for employees to practice on a frequent basis
- Make the experience of awareness training and practice inclusive and positive
Building a stronger security culture will do more to ultimately protect our organization’s brand reputation than attacking them in new ways. Imitating the most deceptive methods used by attackers in live phishing tests can only end badly for the organization’s reputation.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.