Moreover, it can be a motivator for certain people. After mock phishing attacks employees think "If I'm vulnerable to this, what else am I vulnerable to," and that's a win for the security team. Mock attacks can also help break down walls. They can help create a valuable communications channel between users and security and IT staff. It helps people understand that they can report phishing and other potentially malicious attacks to their IT department, even if it turns out to be a false alarm.
Creating the best of both worlds
As we've seen, mock attacks can complete part of the security education picture. As part of a comprehensive security education strategy, they become a valuable way to test and measure progress. Employees who are aware of the company's plan to sporadically conduct simulated events are often more careful overall, adopting a "If you see something, say something" thought process.
However, the overarching goal of any security education program needs to focus on changing the user's behavior, making him or her less likely to fall for any scheme that will put the company—and its sensitive data—at risk. Mock attacks are a part of this training, but to reach a point where there is a real and lasting behavioral change, a program needs to take into account the entire security picture. This includes:
Understanding different kinds of attacks
It's natural to focus on how to keep computers free from malware and data safe from phishers, but security training should also include physical security (how front desk staff and other employees should react when an unscheduled "service person" arrives at their door) and phone training (what to do when a caller asks for information that shouldn't be divulged). These lessons are difficult to teach via a simulated event, but the right training can teach employees to ask questions such as "Can I see your ID?" "Do you have paperwork?" or "Who at my company requested this?"
Protecting different devices
Mobile phones have rapidly become a potential treasure trove of personal data for the cyber criminal. They also represent an easy way to get to end users through social engineering techniques such as fake antivirus, which trick users into paying to get rid of non-existent malware. Android is the OS most under attack; according to a report from security vendor Sophos, since it first detected Android malware in August 2010, it has recorded more than 300 malware families and more than 650,000 individual pieces of Android malware.
Determining if a URL is legitimate or fraudulent
Teaching employees how URLs work is the first step in preventing them from clicking on fraudulent ones even when they are browsing the Internet. In the lower left of most browsers, users can preview and verify where the link is going to take them. Making employees more aware of how to spot fraudulent URLs could help change their actions when they come across those that seem suspicious.
Creating strong passwords
Many users think easy-to-remember passwords such as 123456 are "good enough," not realizing that weak passwords make them a company's vulnerable link. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is "weak" can help change behavior.
Overall, if a company is going to arm its end users to help keep its data secure, it has to do more than occasional mock attacks. Simulated attacks work best when done as part of an overall security education plan, whose benefits are well articulated and understood, and with the end result being a positive change in employee behavior. In this environment, they can be very valuable to a company, providing data that helps elucidate on the true vulnerability of a company and its employees.