Organizations are working to limit the effectiveness of phishing attacks using both internal and external collateral and programs. According to ISACA, the important thing is to have something in place.
Making employees aware of phishing scams, the latest tactics, and how social engineering can be used is a burden put on IT on top of everything else they’re responsible for. According to the ISACA’s Phishing Defense and Governance report, it’s a task organizations take seriously:
- 71% of organizations us some form of employee training programs for security awareness and anti-phishing
- 85% of enterprise organizations measure and report on the program effectiveness
But phishing simulations aren’t getting the same focus. According to the report, only 57% of organizations utilize phishing simulations to test whether users are paying attention to both the training provided and the emails they interact with. With cybercriminal’s social engineering tactics constantly improving, it’s critical for organizations to have this feedback loop in place to understand where their employee risk exists.
Phishing simulations present users with real-world (but harmless) phishing attacks, where their engagement with such emails is tracked, allowing organizations to report on which employees have not “learned their lesson.” It’s a vital part of the security strategy designed to allow users to act as part of the organization’s defense.
In this report ISACA recommends the following to reduce the risk of successful phishing attacks:
- Build in validation of phishing awareness campaigns – have measures in place the to correlate user engagement and the performance of training efforts.
- Evaluate the existing outsourcing or co-sourcing relationships – 38% of organizations develop materials internally. Consider leveraging an external partner with expertise in both security awareness training and phishing simulation.
- Set clear goals for improvement and track them – simple blocking and tackling around reducing user engagement with phishing emails; test, measure, improve.
- Establish or improve the governance structures in use for reporting and measurement – just as you want to see users improve the organization’s security stance, be mindful that the processes, procedures, materials, and mechanisms used to train and test users should improve over time as well.