What’s your personal opinion on phishing tests — should cyber professionals rethink this as a method for security awareness training, or is it a necessary practice?

I am going to be a little bit controversial and say that they are less important than they used to be five years ago. And just to be clear, we do them every month and it is mandated by government policy in my state in Australia. 

I also actually taught phishing resilience and designing simulations to over 5000 students globally and ran a global education & awareness program with simulations as a core part of it. I am a big believer in end user education. But - simulations are just one aspect of a multi-layered strategy and you shouldn't invest all your eggs in it.

This is especially relevant given the increase in sophistication and BEC in particular. I think investing in advanced phishing prevention solutions provides priority protection - so if I someone held me down and said - you can choose only one control, I would choose an AI based advanced phishing protection technology over education simulation tools.

I don't want it to sound like an advertisement (it isn't - just seriously impressed): we implemented Abnormal Security last year and in 6 weeks it exceeded ROI. This is because our government department deals with a lot of immature organisations and the public. These targets can be easily breached, and the threat actors simply sit and wait for that lucrative invoice to be sent to us. Of course, we have people-based validation processes in place before payments are made but people can make mistakes in this process too.

So now I consider simulations as a complimentary but not primary tool. My prediction for the future is that simulations will either disappear or become super-charged with AI. To be more effective they need to provide better real time feedback (just-in-time training) directly integrated into email platforms, similar to what dev tools are starting to do now (e.g. as developers code providing real time feedback on better coding practices).

Phishing tests remain an effective tool for educating users about email risks. To maximize their value, it's crucial that employees understand why they failed and know what to watch for in future emails. We always follow up with a detailed email to help them improve.

I think phishing tests are a necessary part of business now.  While it may not stop users from clicking on real phishing email, it allows my team to identify high risk employees that we will watch more closely when their is suspected malicious behavior.

If planned and done well, phishing tests can have a lot of value.

If poorly planned, they can ruin employee morale. GoDaddy is the poster child for that one.

 

https://www.businessinsider.com/godaddy-disguised-a-phishing-email-test-as-holiday-bonus-announcement-2020-12

Depends if you are doing them just to "click the box" that you are doing them or if you have that as part of an active program to help educate users, etc. FYI - according to a report by KnowBe4 (2023), organizations that conduct regular phishing simulations see a reduction in susceptibility to phishing attacks. Their data shows that the average click rate on phishing emails drops by 20-30% after implementing ongoing training and testing. Both KnowBe and Proofpint do benchmark reports that you can reference.  KnowBe4 Resources. Proofpoint Resources.