Should phishing tests be changing for the remote workforce?

"Phishing tests don't teach anybody anything.  They teach the organisation to ignore things."

Ahead of teissR3 | Resilience, Response and Recovery Online Summit 2020, Vicki Gavin, The Cyber Coach at The Cyber Rescue Alliance, talks to Sooraj Shah about the failings of phishing tests.

teissR3, taking place 15th - 24th September 2020, is the leading event focusing on how you improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Register your place by clicking here.

Video transcript

So with phishing tests and the like, are these changing at all for the remote workforce?

Phishing tests should have changed years ago. So many organisations use phishing tests as a way to educate their staff. Phishing tests are not instructional. They don't teach anybody anything.

They are absolutely fantastic for an organisation to be able to demonstrate that they're doing something to test how well prepared their workforce are. But the only thing that anyone is going to learn from a phishing test is how good their information security team is at writing phishing emails. Could they have a job as a phisherman?

The other thing they do is, they teach the organisation to ignore things. Oh, there's another one from the security team. Ah, I'm going to get them. I'm going to respond to this one.