4 Essential Tips to Consider In Your Phishing Exercise Programme

A phishing exercise is used by information professionals to create mock phishing emails and/or webpages that are then sent to employees. These fake attacks help employees understand the different forms a phishing attack can take, identifying features, and to avoid clicking malicious links or leaking sensitive data in malicious forms.

Once executed within your organisation phishing exercises will become one of the most C-Suite talked about activities that the information security function delivers. Making sure the services are setup right is critical to their success.

Here are four essential tips you need to consider in your phishing exercise programme–

Pitch it as targeted training, nothing more - Phishing exercises should not be undertaken to catch staff out. If the campaign does not contain an element of point in time training that is tailored to that specific phishing exercise to help staff identify the ‘phishy’ elements, you will only annoy and undermine your information security efforts. The exercise should reward positive behaviours and support staff where they may not have spotted the phishy signs.

Inform the right people it’s happening in advance – When receiving the phishy email staff will rightly contact your IT service desk and request support. The service desk should be ready for the high volume of emails and calls. Automate responses where you can. Staff should be thanked for reporting the suspicious email and the ticket closed.

Be wary of metrics – Each campaign is unique in complexity, context and relatability to the recipient. Just because the results of last months exercise is better or worse than this months is no indicator of improvement or decline. Repeatedly being caught by campaigns may be an indicator of job function - opening speculative CV’s, actioning invoices for example.

Layer your security – Phishing exercises have their place in the information security toolkit. If they are the only metrics the leadership team sees, there is a danger they will get tunnel vision and over analyse the results and overreact. Ensure you report on the other layers of security and you have wider adequate information security reporting and KPI’s in place.

Questions your C-Suite should ask your CISO – Do we undertake phishing exercises? What other information security training do we give staff? What other information security aspects do we measure regularly?