"NCSC: Businesses Are Too Often 'Seduced' by the Attractive Lure of Phishing Tests"

The UK's cybersecurity authority is warning businesses not to be enticed by the allure of administering phishing tests to employees. The National Cyber Security Centre (NCSC), which is part of GCHQ, claimed that most implementations of phishing tests rarely provide "an objective measure" of an organization's defenses and can end up wasting time and effort. According to the NCSC, phishing tests provide a metric to show improvement in one specific area, which is difficult to come by in the security space, but organizations must look beyond the core results to gain any meaningful insights from the tests. Making broad assumptions about a company's ability to detect potentially harmful email campaigns based on a company-wide test may not accurately reflect employees' cyber readiness. The authority's most recent guidance states that an effective phishing test will only be achieved if it is designed to answer a very specific question. For example, an organization may want to determine whether a specific department that previously scored poorly on phishing tests has improved. Designing phishing tests for a specific purpose and communicating the reasoning behind them to staff may also have a positive impact on their reception. Employees across a company often complain about phishing tests, which, in the worst cases, can elicit angry responses when designed insensitively. A report released earlier this year also revealed that IT staff are particularly prone to failing them. However, they do play an interesting role in a company's cybersecurity training program. Phishing is still one of the most common types of cyberattack that can result in various dangerous outcomes, such as the installation of malware, theft of data, and more. The cybersecurity industry often questions the value of phishing tests. The NCSC has stated that it is unreasonable to expect staff to be vigilant to malicious emails at all times, given the volume of emails most people receive daily. The authority encourages businesses to implement four layers of mitigation strategies, including anti-spoofing controls, to make it more difficult for malicious emails to reach end users. This article continues to discuss the debate surrounding the importance of phishing tests. 

ITPro reports "NCSC: Businesses Are Too Often 'Seduced' by the Attractive Lure of Phishing Tests"