Stop using phishing as a measure of your cyber awareness culture

If I had a penny for every time someone said to me “let’s measure our security culture by phishing our staff” I’d probably be able to fill my car up. 

It’s a really easy thing to do, you carry out some online training and typically they come with phishing simulations as a free or low cost add on. On the face of it that sounds great, train staff to spot phishing emails and they will be much better prepared to take up the mantle of defending your organisation. It sounds like the perfect solution, There’s a problem though, it’s Not.

Let me explain

The training is fine. Online training these days is much better than it was. The advice provided and the convenience of being able to train an almost unlimited number of staff at the same time, and get metrics for the all-important audit commitment is perfect.  

But now your supply chain, clients, and senior staff all want more than just a tick box exercise. Breaches still happen in companies that have training. So how do you actually measure your staff’s cyber culture? Enter the phishing test. Send some simulations and those that fail to spot the phish get more training and hopefully they pass next time and your numbers of failures go down.

Now you have stats that show the training is working… only it isn’t. All you are doing is training your staff to spot simulated phishing attacks. As I client once told me, one of their IT admins worked out how to spot the phishing from the technical data and simply wrote a script to report it. That clearly doesn’t that mean that person is better placed to prevent a real phishing attack. 

This is not demonstrating a cyber aware culture.  

What about how to set good passwords, what about stopping vishing or smishing attacks, what about preventing physical attacks or detecting fraud, or highlighting potentially high-risk practices, etc. None of those are measured with simulated phishing. 

So how do we effectively measure our security culture?  

Doing it right

There are many ways you can gain strong statistics that show your culture of security awareness is changing. The most effective method is to carry out a Cyber Human Baseline and culture mapping exercise from our partners Cybermaniacs. Run this before, during and after your campaign to understand how your baseline of cyber awareness changes throughout your organisation over time.  

Some other options to consider are: 

• Track ‘report a phish’ notifications – an increase suggests a more culturally aware staff 
• Log suspected security incidents and track these – again an increase is typically a positive sign, even if the incidents turn out to be a false positive
• Run monthly optional ‘lunch and learn’ sessions on loosely related cyber themes (such as IoT security, personal privacy, etc.), then track the number of attendees – more each month suggests a more engaged staff 
• Implement a cyber champion scheme, hold regular meetings, ask your ‘on the ground’ champions to report back on sentiment. 
• Audit your password strength – record how your password strength improves over time 
• Track completions of your automated online cyber training platform 
• Provide rewards for reporting breaches – an increase in rewards suggests an increase in culture.
  

This is just a small list, there are many other ways you can measure cyber culture, each are unique to your organisation. 

One thing that is clear though, is that phishing is a terrible metric for measuring cyber culture. 

If you want to discuss more about improving your cyber culture reach out to us or get me direct on Twitter @_tonygee_.