A lot of companies use cybersecurity training to prevent phishing attacks. A UC San Diego study says they should find a better way to protect their digital assets.
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was more CYA then anything, just blame the employee for shit company processes and security.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.
I got some emails about required training from outside the company. I needed to download and complete a PDF, which had links to other forms to complete, all offsite. I do know with certainty that the email was legit, but I reported as phishing. Still haven’t heard back about this critical training attestation, so I assume their tracking is as awful as the process.
It’s not my ass on the audit finding. Fix your shit.
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was more CYA then anything, just blame the employee for shit company processes and security.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
The real idiotic thing is a network where one client system compromise compromises the whole company. Bad network design.
I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.
Make your shit legit or I’m not gonna do it.
This is exactly it. Out sourced stuff that there is no way to verify. I stopped clicking on this stuff too unless I had to. Was still never sure.
I got some emails about required training from outside the company. I needed to download and complete a PDF, which had links to other forms to complete, all offsite. I do know with certainty that the email was legit, but I reported as phishing. Still haven’t heard back about this critical training attestation, so I assume their tracking is as awful as the process.
It’s not my ass on the audit finding. Fix your shit.