A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.
He posted, ["our industry needs to kill the phish test"]( / jwgoerlich_infosec-cyb... I knew we needed to have a chat, ideally captured here on the podcast.
I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?
And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."
Segment Resources:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study: arxiv.org/pdf/...
- The GoDaddy Phishing Awareness Test: cymulate.com/b...
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong: www.bankinfose...
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare: www.theregiste...
Visit www.securitywe... for all the latest episodes!
Show Notes: securityweekly...