While phishing simulation provides valuable security awareness training, it has become an unrealistic test that breeds mistrust and paranoia. Workers now waste significant time scrutinizing legitimate emails and links which leads to high business time waste, hyper-vigilant, and several false positives from employees. This constant second-guessing and overthinking of every email link and file slows communication, collaboration, and productivity.
Even with extensive training, and several phishing simulation tests, employees struggle to reliably identify sophisticated phishing threats. Either by flagging a legitimate email as suspicious or not flagging a suspicious email. Also If an email is obvious enough for a human user to detect an email as suspicious or malicious, then technical controls should identify such much easily. Unrealistic simulations overwhelm and distract employees as they attempt to act as security analysts by evaluating and analyzing every email.
Rather than relying on unreliable human threat detection, organizations should invest in advanced AI-driven security tools that automatically analyze millions of signals, patterns, and data such as domain address, IP, geolocation, etc, and compare such data with threat intelligence sources to accurately identify and isolate high-risk or suspicious emails before the user. This shields employees while allowing analysts time to validate threats.
While human eyes may struggle to see the difference between domain names with varied or inverted character settings, AI models can detect such much faster. Technology is far better positioned than any individual user to evaluate potential phishing attacks at scale, without creating uncertainty that hampers productivity. Robust automated controls allow workers to focus on business results rather than hunting threats.
In addition, we must all as security professionals think of cybersecurity as a brake in the bike, imagine there is no break on a bike, we have to ride slowly, to allow stopping with our feet, However with a brake, you can move fast, confidently, and stop on demand.
Cyber security practices should be similar to a brake in a bike, it should allow fast and effective collaborations, it should enable business velocity, allow business employees to work without fear, contribute to productivity, enable fearless innovation, and rapid growth, and enable bold decision-making without fear. True cyber readiness means brakes that balance friction and freedom, not tentative crawling. Savvy security amplifies an organization’s potential.
Finally, different security team has different strategic and tactical cybersecurity goals for the business, it is up to your team to evaluate and decide if the phishing simulation is still worth it or if there is a need to start planning for a more technology-centric approach that allows users to work freely without employee security paranoia.
Jamiu Akande is a Cyber Security Consultant, Thought Leader, Leadership Coach and a scholar.
