Some security leaders say it’s time to rethink phishing simulations

Why Some Security Leaders Think It’s Time to Rethink Phishing Simulations

Phishing simulations are a hot topic in the world of cybersecurity. These practice exercises are designed to help employees recognize fake emails and prevent cyber attacks. But, there’s growing debate about whether these simulations are truly effective. Let’s explore what security experts and some companies are saying about them.

Too Many Tests, Not Enough Impact?

For many companies, running phishing simulations has become a routine task. Imagine having to take a test every couple of weeks. That’s what employees at some companies face with these phishing tests. The goal is to keep everyone alert and prepared for real phishing threats.

However, some experts argue that these frequent tests are more like routine chores rather than tools that genuinely help employees improve their skills in identifying phishing attempts. A key criticism is that once employees figure out the patterns in these fake emails, the tests lose their effectiveness.

Are The Tests Realistic?

Phishing simulations can sometimes feel like practicing a fire drill without the actual threat of fire. If the tests aren’t closely mimicking real-world threats, they might not be as useful as intended. Security leaders are concerned that unrealistic simulations fail to prepare employees for actual phishing attacks.

Furthermore, when employees fail these tests, often nothing significant happens. Without real consequences, there might not be enough motivation for employees to improve their phishing detection skills.

Do They Help Reduce Cyber Attacks?

There’s also a debate on whether phishing simulations genuinely help lower the risk of real cyber attacks. Some experts, like Mike Britton from Abnormal Security, believe that these exercises are done more for compliance reasons, rather than true security improvements.

Others, like Mark Stamford from OccamSec, find them to be a “waste of time” if they don’t directly address real-world risks. They argue that efforts should focus on proactive strategies to combat phishing.

Why Are Companies Sticking With Phishing Simulations?

Despite criticism, many companies continue with these tests. One primary reason is compliance with cyber insurance requirements. J Stephen Kowski from SlashNext notes that this obligation is a significant factor in why companies persist with these simulations—even if they aren’t perfect.

Additionally, Brian Miller from Ivoryware suggests that running these tests can still reveal which employees need extra help in improving their phishing detection skills. This information can be crucial for tailoring more effective training and support.

Conclusion: Phishing Simulations — Useful or Outdated?

While phishing simulations have their shortcomings, they still have a place in the cybersecurity toolkit. Even though they are not foolproof, these exercises can help identify employees who are more susceptible to phishing attacks, allowing for targeted training and support. It’s clear that the conversation around phishing simulations is evolving, and businesses must consider how to balance frequency, realism, and practicality—while keeping an eye on actual risks and compliance requirements.