A Canadian training company is accepting reservations for its third annual opportunity for firms to find out how effective their employees’ phishing detection is – or isn’t.
The free Gone Phishing Tournament, run by Laval, Que.,-based Terranova Security and co-sponsored by Microsoft, takes place over five days.
Held to coincide with Cybersecurity Awareness month in October, it tests how click rates of employees – who don’t know they’ve been registered — compare to those of organizations with similar characteristics, including vertical or industry, size, and geographical location.
Any registered organization around the world can enter. After registering an organization will receive instructions on how to bulk upload its user list directly into the tournament environment.
Staff receive several phishing messages and are quietly graded on their ability to spot tell-tale clues and report suspicious messages, or their willingness to click on what would be a malicious link and fill in possibly damaging personal or corporate information on a fake website.
There is no limit to the number of users an organization can submit. To ensure benchmarking data that are representative of an organization’s click rate reality, a minimum of 25 per cent of a firm’s global employee base is required to participate in the tournament.
The data collected is assembled into a global report to be released later this year with results reported by geography, while participant organizations get a customized report that compares their employees’ performance to those in similar industries.
Last year’s global report found approximately 20 per cent of participants clicked on phishing email links, disappointingly up from 11 per cent in 2019, and 13 per cent submitted passwords on the tournament’s phishing web pages.
This is especially disturbing because most participating firms had already a phishing simulation program in place.
The comparative results are a key output of the tournament, Theo Zafirakos, Terranova Security’s CISO, said in an interview.
“Some participants may already have a [awareness] program in place and phishing simulations but they don’t know how effective it is. Other organizations may not have anything in place and are looking for justification to fund and get management commitment to implement a program.”
It takes both security awareness training and testing for employees to adopt new behavior, Zafirakos said. “Organizations that have a formal program in place have employees with a stronger security culture compared to those who don’t have anything in place.”
“Employers have a responsibility to provide awareness training,” he added. “We give employees access to applications, to systems, digital information, but we don’t always inform them of the risks associated with that. We have the expectation of them to use technological and advanced assets without them being informed of the potential threats they may face.”
Organizations fail in their awareness training by trying to do too much at once, Zafirakos said. Training has to be spread out over time. Another failure is that the material is too technical. Instructors should give staff practical advice on what do to when they face a decision. For example, it’s not enough to say, ‘Don’t click on suspicious links.’ Tell staff what a suspicious link looks like.
Finally, he said, staff shouldn’t fear being punished if they make a mistake.