A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.

He posted, "our industry needs to kill the phish test",and I knew we needed to have a chat, ideally captured here on the podcast.

I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?

And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."

Segment Resources:

• Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
• The GoDaddy Phishing Awareness Test
• The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
• University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

Show Notes: https://securityweekly.com/esw-376