May 23, 2024 at 03:08PM
Google’s Matt Linton argues against federally mandated phishing tests, comparing them to early fire drills. He points out the increasing phishing attacks despite anti-phishing controls, arguing for a different approach. Current tests are criticized for lack of evidence in reducing successful phishing campaigns, eroding trust, and burdening incident responders. Linton suggests clear, non-deceptive testing with improved cybersecurity culture and multi-layered defense.
From the meeting notes provided, it is clear that Matt Linton believes that the current approach to phishing tests is not effective and may even be counterproductive. He argues that the burden of responsibility is unfairly placed on the individual rather than on systemic infrastructure improvements. Linton suggests that the focus should shift to developing secure-by-default systems and making investments in engineering defenses such as unphishable credentials and multi-party approval for sensitive security contexts.
Moreover, he points out that there is no evidence that the current phishing tests result in fewer successful phishing attacks. This sentiment is echoed by the guidance from the UK’s NCSC, which highlights that the tests erode trust between staff and security teams and that there are various reasons why a user may click on a link in a phishing test, including personal traits and situational variables.
Linton proposes a different approach to phishing tests, advocating for clear communication and transparency regarding the testing process, similar to the way fire drills are conducted. He also emphasizes the importance of creating a positive cybersecurity culture and educating employees to identify and report suspected phishing emails.
In conclusion, Linton suggests that the current approach to phishing tests should be reevaluated, and a more balanced and transparent approach, similar to that of mature industries like fire protection, should be adopted to effectively mitigate phishing attacks.