Phishing Tests: Are We Doing This Right?


Posted on by Kathleen Moriarty

Phishing tests are a common cybersecurity practice, but do they truly prepare employees for real-world threats? In some cases, these tests can inadvertently create a false sense of security or even undermine existing security controls.

The Problem with Current Phishing Tests:

  • Bypassing Security Controls: Many phishing tests rely on internal mail relay servers, allowing them to bypass critical security measures like DMARC and domain-based fraud detection. This can give users a false sense of security, as they may assume that any emails reaching their inbox have already been vetted.
  • Undermining User Trust: Internal mail relays often suppress warnings about external emails, a crucial security indicator. This can confuse users and make them less likely to trust genuine warnings in the future.
  • Creating a False Sense of Security: Some tests use unrealistic scenarios, such as emails appearing to be replies to messages the user never received. This can lead users to believe that any email with unusual characteristics is automatically a test.

A Better Approach

Instead of relying heavily on potentially misleading phishing tests, organizations should prioritize proactive security measures:

  • Invest in Secure Infrastructure: Utilize email clients, servers, and mail applications with built-in security controls to prevent attacks from being successful.
  • Implement Phishing-Resistant Authentication: Adopt strong authentication methods, such as phishing resistant multi-factor authentication (MFA), to minimize the impact of successful phishing attempts.

The Cost of Phishing Tests

The cost of implementing and maintaining a robust phishing testing program can be significant. This includes the cost of the testing software, supporting infrastructure to bypass security controls, the time spent creating and deploying tests, and the potential disruption to employee productivity. By investing in proactive security measures, organizations can reduce the need for phishing tests while simultaneously enhancing their overall security posture.

A Personal Anecdote

I once received a phishing test that claimed I had won an award for my book. While flattering, it wasted my time investigating the award and notifying my publisher about a potential scam. This experience highlighted the potential for phishing tests to be counterproductive and time consuming.

Conclusion

It's time to re-evaluate our approach to email and application security. By focusing on proactive security measures, Built-in at Scale (BiaS), organizations can better protect themselves from real-world threats while minimizing the potential for disruption. There are security controls integrated by design into some email platforms that reduce the opportunity for attacks to be successful and also reduce the distributed security burden placed on organizations.

Reference:

https://lnkd.in/eBZaeVH3

Contributors
Kathleen Moriarty

Technology Strategist, Board Advisor, and Consultant,

Human Element Identity

phishing access control application security authentication

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs