Don’t Warn Your Co-Workers About That Phishing Test

It is October 2021, and another Cybersecurity Awareness Month is upon us. With so much having occurred over the last year, we should all be experts in personal cybersecurity protection. After all, when our homes became our primary business location, it all became very personal.

I once worked at a company that prohibited me from offering personal cybersecurity advice. They reasoned that if I offered a person any advice such as using a password manager, setting up a credit freeze, or using multi-factor authentication on every 2FA-capable site and something went wrong, the company could be held liable for that advice. I suppose that, from their perspective, they had a valid point. Contrarily, to many security experts, the “security begins at home” approach made a lot of sense; teach a person how to be more cyber secure in their daily lives, and they will carry those habits to the workplace. It took a pandemic to shift the corporate mindset to align with that sentiment.

The full-time remote workforce became keenly aware that a threat to their corporate cybersecurity could easily reflect directly into their home computing setup. A person could no longer safely think that an action they took during work hours would have no impact on their personal computing environment. While many larger corporations could afford to take measures to protect their networks from the perils of all of the home devices joining the corporate network, some of the small- and medium-sized businesses lacked the resources to accomplish any added measures of protection.

During Cybersecurity Awareness Month, we will see plenty of good advice about how to protect ourselves on the internet. Security sites and social media will once again be abuzz with all of the things that we should all do to remain safe online. One hidden area where we can have lasting change in personal security is with the response to simulated phishing exercises that companies use to test cybersecurity awareness. 

Most of the phishing exercises are often met with a groan by the office staff. In the past, when a person recognized that the test was underway, they would immediately shout to their office mates, warning them that a phishing test was in progress and that they should all be on the lookout for the phishing message. This was an excellent way to be a good office mate. After all, no one wants to be embarrassed by being the person who clicks that crafty link devised by the nefarious security team. Unfortunately, this defeated the entire exercise. 

One way to combat the shouted warning was to set the phishing campaign to target only a small percentage of people at a time within the organization. This could offer truer results, but it was labor-intensive to set up and maintain relevant testing lists. It was also imprudent to constantly create new lists to change the audience for each new campaign.

With the emergence of the fully remote workforce, a person could no longer shout across the cubicle walls to warn everybody else of the phishing test. Sure, an e-mail to the co-workers may work, but not as rapidly as the well intentioned verbal warning. We all want to warn others of impending danger, but the only danger of failing a phishing test is the perceived pain of reviewing the cybersecurity awareness training.

As people slowly return to work, this is a great opportunity to educate the staff that warning their neighbor of a phishing simulation exercise is almost as bad as other poor security practices such as sharing a password. It’s a good idea to warn about a dangerous e-mail, but failing to warn a person about a phishing test could reasonably create a safer work environment by reinforcing awareness for those who are caught by that test.

Here’s wishing everyone a happy Cybersecurity Awareness Month!

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.