Google Security Manager Blasts Phishing Tests: “Employees Hate Us for No Benefit”

Hot Take:

Why fake it till you break it? Google’s own security guru says phishing tests are more trick than treat, and it’s time for the IT industry to stop playing cyber-psychological hunger games with employees.

Key Points:

• Google security manager Matt Linton argues against simulated phishing tests.
• These tests are required for US government security compliance.
• Linton claims the tests lead to negative side effects and don’t reduce phishing incidents.
• A 2021 study found phishing tests don’t make employees more resilient.
• Linton suggests the tests make employees resent cybersecurity teams.

Need to know more?

Phishing for Complaints

Let’s face it, no one likes to be tricked, especially not by their own employer! Google’s security incident manager, Matt Linton, has come out swinging against the IT industry’s love affair with simulated phishing tests. He argues that these tests are more like office pranks that have overstayed their welcome. Instead of making employees more vigilant, it’s making them resent their cybersecurity teams. So, if you’re wondering why your last phishing test felt less like training and more like hazing, you’ve got some heavy-hitters in your corner.

Compliance vs. Common Sense

Here’s the kicker: Google is mandated to run these phishing tests to meet US government security compliance requirements. It’s like being forced to eat your vegetables even if you’re allergic to them. Despite the good intentions, the actual benefits of phishing tests are as elusive as a hacker who’s really good at hide-and-seek. According to Linton, these tests don’t actually result in fewer successful phishing campaigns. So, are we just checking boxes here, or are we really safeguarding our cyber castle?

Study: Phishing Tests Flunk

In case you need more convincing, a 2021 study ran for 15 months and concluded that phishing tests don’t make employees more resilient to phishing. Imagine studying for an exam for over a year only to find out that the exam doesn’t even count! The study suggests that these exercises are more like shooting blanks—they make a lot of noise but don’t hit the target. So, if you’ve been feeling like a clueless fish in a barrel, you’re not alone, and there’s data to back up your frustration.

Trick or Treat? More Like Trick or Retreat

As if hating Mondays wasn’t enough, now employees have another reason to roll their eyes at their inbox. Linton emphasizes that these tests can lead to negative side effects, including the deterioration of trust between employees and the cybersecurity team. The only thing worse than a phishing attack is feeling like your own team is trying to reel you in. It’s no wonder employees are starting to view these tests as cyber-pranks rather than actual training.

Is There a Better Way?

So, if phishing tests are the bad cop, where’s the good cop? Linton hasn’t just thrown shade; he’s also hinting that there are better ways to educate employees about phishing threats without making them feel like they’re on a reality TV show. While he doesn’t lay out a detailed alternative in this particular rant, the message is clear: Cybersecurity training doesn’t have to be a game of “Gotcha!” It can be informative, engaging, and, dare we say, even enjoyable. So let’s put the trickery aside and focus on real, meaningful security education.