A phishing simulation is a method to detect users' cybersecurity vulnerabilities by deploying mock phishing emails. For decades, businesses added phishing simulations to their security awareness training in attempt to educate employees on how to fight against cyber threats.
Despite the fact that phishing simulations have become a common practice to safeguard business data, their effectiveness is still under hot debate. We've pulled together industry research and reports, to let you better understand how helpful phishing simulations can be to your organisation.
How to define effectiveness?
To measure whether phishing simulations are effective, we have to look into how well they can accomplish their goals.
The goals for phishing simulations can vary in every organisation. However, National Cyber Security Centre (NCSC) has provided us with a good reference. NCSC has been set up by the UK government since 2016 to support UK businesses specifically in the cybersecurity area. The authority is an official go-to place for people who are looking for guidance regarding cybersecurity. NCSC makes it clear that leading users to recognise and report potential threats are outcomes desired in the anti-phishing defence.
With this in mind, let us now examine whether phishing simulations are actually producing the desired results. We will dig into relevant industry reports and studies, to scientifically evaluate its effectiveness.
Research-proven achievements of phishing simulations
Simulated phishing training seems to have a remarkable impact on employees’ ability to withstand phishing attacks.
1. A significant increase in users' ability to spot scams
- A recent cyber security report – 2022 Annual State of Phishing Report, has analysed millions of campaign results from users who have received simulated phishing training. The research found that repeated phishing simulations have been a helpful way to help employees spot malicious emails and hence, reduce their susceptibility. 70% of respondents were susceptible during their first encounter with a simulated phishing email. After simulations have been deployed 5 times, the percentage of susceptibility dramatically dropped to a single digit. A higher frequency of phishing simulations does increase your staff’s ability to recognise phishing emails.
- The report has also pointed out that users who clicked on a fraudulent link had one thing in common – they spent very little time checking the landing page of the phishing simulation. The average time spent was just 0-19 seconds according to the research. This implies the fact that the more time the staff are willing to spend on phishing education, the more capable they are to find out the red flags in a simulated phish.
- The above standpoint is further assured by Microsft's Digital Defense Report 2022. A popular website for cybersecurity news sources has quoted the finding from Microsoft, stating that “when employees receive simulated phishing training, they’re 50% less likely to fall for phishing.”
2. Impressively high report rate and responsiveness
- The annual state report we mentioned a minute ago also showed that 82% of trained employees reported simulated phishing. More amazingly is that they reported it within 60 minutes of receiving it. Timely user reporting not only decreases the window of opportunity that an adversary has to access data or gain further network entry but also increases the opportunity the security team has to detect and respond to potential breaches.
- The success of simulated phishing is further confirmed by another industry research, which indicates that after completing one year of phishing awareness training, the average phish-prone percentage sharply dropped from 37.9% to 4.7%, recording an astonishing 87% improvement rate.
From the reports above, we can conclude that there’s a strong and direct relation between phishing simulation and employees' capability to spot and report phishing emails.
The widely recognised effectiveness of phishing simulations
The use of phishing simulations is widely recognised and highly recommended in recent years. With evidence-based proof for its effectiveness, an increasing number of organisations from all kinds of industries are deploying phishing simulations nowadays to strengthen their workforce.
- To help with the security threats faced by The Crown Commercial Service (CCS), the government procurement agency has signed a deal recently to invest in a phishing simulation tool. According to the authority, this simulation tool is intended “to test security awareness” across the organisation and find “areas that need extra support”.
- The Healthcare sector has been one of the most targeted industries for phishing scams because of the valuable personal information they have in their database. The biggest UK healthcare provider, NHS is deploying phishing simulations to proactively educate their employees. They said their goal for simulated phishing training is to “raise awareness of phishing emails amongst NHS staff”.
It's easy to see that phishing simulation tests have become a trusted and popular way that organisations take to protect their businesses.
Catch up with the cybersecurity trend
Many senior cybersecurity professionals believe that employees who have received phishing simulation tests are far more likely to spot and report suspicious emails than those who haven’t.
Microsft has been a big advocate of deploying phishing simulations. “Regularly run phishing simulators to gauge the potential risk across your organization and to identify and educate vulnerable users“ is one of the actionable insights to reduce exposure to phish, as suggested in their Digital Defense Report 2022.
Gidi Cohen, CEO and Founder of Skybox Security has also shared some insightful advice on identifying the vulnerability in the workforce via the help of phishing simulation. He emphasised that "A risk-based approach resulted in fewer breaches year over year. This fact underscores that proactive security posture management enables CISOs to act quickly and decisively to mitigate the risks with the greatest potential impact.”
usecure’s phishing simulator
Action is the foundational key to success. As a reputable vendor of cybersecurity services, we take pride in offering the market powerful and user-friendly simulated phishing training. Check out the 14-day free trial of our phishing simulator now and get to know how we can help strengthen your workforce.