Sign up to save your podcasts
Or
Share Do phishing tests do more harm than good? - Wolfgang Goerlich - ESW #376
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Do phishing tests do more harm than good? - Wolfgang Goerlich - ESW #376
A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.
He posted, "our industry needs to kill the phish test",and I knew we needed to have a chat, ideally captured here on the podcast.
I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?
And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."
Segment Resources:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- The GoDaddy Phishing Awareness Test
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
Show Notes: https://securityweekly.com/esw-376
View all episodes
By A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.
He posted, "our industry needs to kill the phish test",and I knew we needed to have a chat, ideally captured here on the podcast.
I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?
And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."
Segment Resources:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- The GoDaddy Phishing Awareness Test
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
Show Notes: https://securityweekly.com/esw-376