A number of security suppliers offer phishing simulations. This will aim to assess the susceptibility of your employees to a phishing attack. But are they worth it? A phishing simulation or assessment is an exercise that will aim to repeat the steps that attackers would take to phish an organisation’s employees. There are a couple of ways that organisations can buy these services; use an off-the-shelf solution or hire a security company (like The Security Bureau) to do this. But what would a phishing simulation tell you about your organisation that you don’t already know?

Typically, organisations are interested in the security of their internet facing systems and websites to ascertain whether it’s possible for attackers to gain access to their internal systems. If they have the budget, they may conduct internal penetration testing to understand the impact of a successful breach.

Internal penetration testing is a security test performed from within the perimeter and an assumption is made that attackers have gained access to the network by physically entering the company premises or have breached from the internet (possibly using a successful phishing attack). Methods of entry are not taken into account. An assumption is made that attackers will gain some kind of entry to the internal network regardless of how.

Would you benefit from a phishing assessment?

It’s worthwhile to know how these attackers are gaining access to data. But is a phishing assessment the most effective use of your security budget? Would Sony Pictures have benefited from a phishing assessment? An employee could of been at risk of phishing. Their internal security needed the attention.

When security budgets are set for the new financial year, remember there are new threats and some new methods of attack. But nothing has really changed when in comes to protecting your data and your employees. Build a good security foundation and culture. This will be the best investment you can make. After you’ve shelled out for a phishing assessment you’ll still have to conduct user awareness training. Training is something every organisation should be doing anyway. Train new employees as part of their induction. Embed security culture from the outset. Ideally this should happen before employees access a computer.

So, are phishing assessments worth it? You decide. What are you trying to achieve? Are you looking to prove to your board of directors that you need an increase to your security budget or are you trying to make that budget work hard for you? Assume you’ve had a breach. Now ask yourself, what are my priorities and where can I invest my finite budget to enable the business to operate securely?