Simulated Phishing and Awareness Services – What’s next?

Thursday 2nd November, 2023

Our simulated phishing and awareness training services have proven to be valuable to our customers in not only identifying vulnerabilities within their organisations but also in fortifying their overall cyber security postures.

To date, our cyber security team have carried out over 500 simulations, sending a total of 1.5 million emails and helping customers, across several verticals, track how their employees engage with these simulated threats so they can gain insights into the overall level of awareness and susceptibility of their workforce to phishing attacks. This, followed by regular awareness initiatives, has helped reduce the risks associated with these email-based attacks.

Interesting simulated phishing facts and figures relating to opens, clicks and compromises

With 512 simulated phishing campaigns completed to date, 22% were opened and weblinks clicked, of which 9% shared information to our mock-up phishing websites. For our attachment-based simulations, we found that 7% opened and subsequently downloaded the file.

Need to know more about phishing? Why not take a look at our recent article ‘What is Phishing? A Quick-fire Guide’…

Top 5 security weaknesses identified as a result of simulated phishing? 

Despite tracking a reduction in users being compromised, many organisations have fed back to our teams saying that they were still not happy with their users continually being vulnerable to phishing emails and have asked for further recommendations to help secure their environments.

In order to do this, we analysed the results over the course of running this service since 2018 and have summarised the most common weaknesses which contribute to making an organisation an attractive phishing target:

1.Poorly defined (or no) security incident response plan and NO out of hours threat monitoring

The efficacy of an organisation’s incident response procedures can be assessed during phishing simulations. This includes how quickly and effectively reported phishing incidents are responded to, and also highlights whether or not an organisation’s user base is aware of the steps to follow to even report a security incident.

Over the past six months, many of our customers have requested simulations to be conducted out of hours to highlight the growing need for, and to help justify investment in, better security controls that operate 24×7 such as a SOC service that provides round the clock threat monitoring, detection, response and protection. This is one of the hottest topics with our customers due to the exposure when staff have gone home.

2. Poorly configured email security

DMARC, DKIM and SPF are mail authentication and security protocols used to protect against email spoofing, phishing, and spam. They work together to help verify the authenticity of email messages and ensure that they are not forged or tampered with. We have routinely observed that these are either not present, or poorly configured on many mail servers, which have been used for phishing, or have been successfully phished.

3. Weak password practices and lack of MFA

Phishing simulations can expose weak password practices among users, and the absence of MFA makes password compromise significantly easier. Even today, we have identified that many organisations have not implemented MFA across their mission critical systems including those users with elevated access privileges.

4. Insufficient and inconsistent staff awareness programs, lack of updates on new threats

Generic awareness on cyber security, whilst valuable to help protect against phishing attacks, is not enough and it’s also important to also assess where users are failing after the completion of a phishing simulation so that you can curate training that addresses the deficits identified.

We found that customers who were new to simulated phishing and focussed training, when compared to those who have had a series of simulations, exhibited significantly higher opens, clicks and compromises, proving that curated awareness is effective. We also identified that many organisations were not proactively keeping their organisations up to date on the latest threats and other methods of identity fraud using email, text and phone to steal personal or business sensitive information such as smishing, vishing and quishing (one of new attack vectors). Regular awareness, training and updates are key to help foster a culture of vigilance and responsibility among employees.

5. Poor (or no) endpoint security

Phishing simulations can reveal if network devices lack up-to-date security software and patches, making them more susceptible to malware infections. We have found this to be most common across organisations who are running legacy mission critical applications that are unable to function on ‘safe’ patched operating systems.

So, you’ve completed a simulated phishing campaign – what’s next?

Whilst simulated phishing campaigns are highly effective in highlighting areas for improvement, their completion is just the beginning of the journey. Armed with these findings, organisations can subsequently look to put into place a number of measures to bolster their cybersecurity postures, all of which are facilitated through KHIPU’s best practises cyber security solution and service portfolio. Alternatively, please fill out the below form and one of our cyber security experts will be in contact to discuss your areas of interest and share experiences with customers within your sector.

– – – – – – – – – – – – – –

*required field

Thank you - one of our team will be in touch