What’s the point in phishing assessments?
As news is released that PhishMe made £45 million last year, it’s clear that phishing assessments have become very popular. But it begs the question — what is the value in getting a phishing assessment done?
You could argue that as one of the primary infection vectors for modern cyber attackers, that getting a phishing assessment is the new “penetration testing”, and answers the question of whether or not someone can get in, and whether you need to shore up your defences.
The problem here though is that if all you want to know is if someone can get in, then I can answer that for you right now.
Yes, they can.
It doesn’t matter how much you educate your users, or how much you spend on anti-malware tech, one of your employees is going to click that email, and one of the attackers will be able to bypass your tech defences.
The real value in a phishing assessment is not answering the question “can they get in?”, but instead “which of my users might need more education?”. If you don’t already have an allocated amount for education in your cyber security budget, and money left in it to spend re-educating particular employees, then the value of a phishing assessment is questionable. You’d be better of just investing that money straight into the education budget.
Perhaps this is why PhishMe has done so well. Their offering includes training at the point of infection. Immediate education for users who have been duped. And so what you’re really paying for is targeted education, rather than understanding technical weaknesses.
In a fight that everyone is coming to recognise as being both technical and social, services like PhishMe that combine technology with social factors will surely continue to do very well.