Many organizations are now starting to do internal employee phishing assessments to determine how vulnerable their team is to targeted phishing attacks. This is because phishing is one of the primary ways that ransomware makes its way into corporate networks - through emails targeted at employees who click on links or attachments. Your IT Security team can assess your organization's vulnerability in this area by simulating attack emails, but with harmless links or attachments that can provide feedback to IT Security.
But when your IT Security team undertakes an employee phishing assessment initiative, there are many subtle decisions that must be made that can have in impact not only on the validity of the results, but on employee morale and trust. So, I'm creating a list of dangerous pitfalls to be avoided when implementing an employee phishing assessment program. Not fully considering the employees' responses to these emails is probably the easiest landmine to step on, which can cause serious employee backlash, and put the program in jeopardy. Here's the problem and the solution.
Are Phishing Assessments Really a Thing?
By now, you've probably heard that some organizations are using simulated phishing attacks on their employees. Is this a smart thing to do, or is it just the security team trying to scare people?
Filling up employees' inboxes with even more malicious email may just sound cruel. But there's a very good reason for doing this.