Phishing Social Engineering

MYTH: Phishing Tests Should Only Be Performed Annually

Here we go again – this is the third in our series of posts for National Cyber Security Awareness Month (NCSAM).  During the month, we are looking to dispel cyber security related myths that we hear all too frequently.


Phishing Tests Should Only Be Performed Annually

Phishing tests are a great part of any organization’s information security program and in many regulated industries, annual phishing tests are a requirement.  However, in today’s world, annual phishing tests are not enough to keep the user or your organization safe.  In fact, BakerHostetler’s 2016 Data Security Incident Response Report indicates that for the first time ever, the hacking, malware, and phishing category is the leading cause of data breaches.  Let’s take a look below at some information and questions that phishing testing can help your organization answer.


Phishing Test

Phishing tests will generally involve simulating an external attacker attempting to get your organization’s employees to divulge some sort of private information such as computer password information, company payment information, or information about your organization’s clients.  Many times, phishing tests will also try to manipulate your employee’s into downloading a malicious email attachment and/or visiting a malicious website.  If the attacker is successful and the employee installs malicious software, the attacker may be able to remotely control the employee’s workstation and use that machine to further gain access into your organization’s internal network.  By implementing a successful phishing testing program, on at least a quarterly basis, your organization should be able to answer the following questions:

  • What is our organization’s overall risk associated with a phishing attack?
  • As an organization, is our risk associated with phishing attacks trending in the appropriate direction?
  • Do the same employees continue to fail the tests and put the organization at risk?
  • Is our current phishing training effective? Being delivered frequently enough?
  • Do our employees know how to identify a phishing attempt?

If your organization isn’t currently performing any type of phishing tests or you aren’t sure how your organization would answer the questions above, reach out to Rebyc Security today to find out how we can build a customized phishing security program just for you!