How to assess your risk when faced with phishing?

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

Phishing is the entry point for 90% of cyber attacks today. This threat poses various risks to a company, including organizational, reputational, financial, and legal risks.

It is therefore interesting to consider how to assess the risk of a phishing attack for your company.

In this article, we will discuss the different risks that phishing can generate and help you assess your company's exposure to this threat.

A reminder of the different risks associated with phishing

Operational risk

An assembly line or supply chain can be rendered inactive if the automation configuration files are encrypted by ransomware.

Spyware can be silently installed on the internal network to spy on the company's activities and gather sensitive data.

Following a phishing attack, the leakage of sensitive data also represents a risk. Information about the company's commercial positioning or ongoing bids is valuable data for competitors who can then gain control of vital contracts for the company.

Reputational risk

When a company suffers a cyber attack, its image is inevitably affected. If crisis communication is poorly managed, customers may lose confidence in the security of the company and its ability to fulfill their contracts.

Retaining or attracting talent also becomes more difficult when a company is in the news regarding a security breach or the publication of personal information about its employees.

Financial risk

In a cyber attack, it is not only the ransomware ransom that will cost money, but also legal consequences. Legal sanctions can occur if the attack reveals a lack of digital security threatening customer data.

An organization's files or software can be encrypted through ransomware, and a ransom is demanded by the operators if the organization wants to recover the decryption key.

Finally, reputational impact can lead to contract losses. Other contracts may be canceled if they contain a clause referencing termination if a sensitive data leak were to occur.

Legal sanctions can occur if the French Data Protection Authority (CNIL) considers that the company has been negligent in securing its data. In 2018, Uber was fined €400,000 as a result of a sensitive data breach the company experienced. The national commission deemed that Uber neglected the protection of user data.

Evaluating your company's exposure to phishing

These different risks lead companies to question their exposure to phishing. Phishing tests and red teaming are two approaches that can help you assess this exposure through practical means.

Red teaming: an evaluation of protection systems

The red team seeks to enter the company's information system as an attacker would. Their job is to bypass detection and protection systems.

It is important to realize that phishing protection systems can be outsmarted. Even though the majority of threats are unable to bypass these systems, a determined hacker will be able to bypass your anti-phishing filters without too much difficulty.

The best filtering technologies today can detect phishing emails with 92.72% accuracy, leaving 7.28% of malicious emails to pass through. In large samples, this represents a significant amount of potential threats.

Phishing tests: evaluating employee behavior

In contrast, phishing tests are pre-approved by anti-phishing filters. Their goal is not to evaluate detection systems, but rather the human element they protect. The emails therefore end up directly in the employee's inbox, as if they had bypassed your protections.

Both solutions are interesting as they evaluate the digital security of the company from different aspects. However, phishing tests evaluate your last line of defense once the threat has bypassed the protections. Therefore, it is crucial to train your employees to report these threats.

Conducting an initial phishing test as a benchmark allows you to get an idea of the risks that phishing poses to your employees and your company.

Key metrics to analyze in a phishing test

When conducting a phishing test, different data points are worth considering: click and compromise rates, average and median times, and sensitivity to the pretext used for phishing.

Click and compromise rates give you an idea of your employees' overall performance.

Average and median times represent the time between sending the email and compromise. These data points are interesting because many individuals are very reactive in their email inboxes and will take dangerous actions upon receiving the email.

These times allow you to understand the behavior and speed at which you can be hacked.

Not all attacks are equal. The sensitivity to the pretext used is therefore an interesting data point, as a pretext will not be as effective among different tested populations.

For example, an HR employee may be more likely to click on an attached CV than someone from the finance department.

Hackers carry out targeted attacks: they will not use the same email for every person they want to compromise.

Corrective actions to implement

Once you have assessed the risk posed by phishing, it is time to implement corrective actions.

Comprehensive awareness program

Firstly, recurring awareness campaigns against phishing should be conducted. The forgetting curve illustrates the need for reminders for information to be well integrated.

Testing only once a year will lead to a gradual disappearance of your employees' reflexes over time.

Next, the learning content should be relevant to the phishing emails your employees may receive in their inbox.

Theoretical content that is pertinent to the simulated attack they have just experienced will be more appropriate and valuable than delivering the same generic and non-contextualized content to all employees.

Company culture is also an important aspect to improve. You can highlight individuals who have the best results to support their colleagues.

Practicing peer learning with internal employees will have a greater impact than if it is always the members of the IT security department who raise awareness.

The company should not be divided into two camps: the security department and the tested employees. IT security should not be perceived as a barrier to productivity but rather as support and assistance in the fight against phishing.

On the security side, employees should not be seen as incapable of detecting any manipulation attempts. The goal is to create cooperation between employees to detect and report phishing attempts, with support from the IT security department in the fight against phishing.

Finally, emphasis should be placed on high-risk elements. Sometimes, theoretical content and phishing tests are not sufficient to raise awareness among the employees who represent the greatest danger.

In such cases, you can involve external experts to help high-risk groups improve their results during phishing attack simulations.

Continuous training for better protection

It is necessary to establish continuous training to improve prevention against these risks.

On the one hand, training programs need to be regularly updated to align with new techniques used by hackers.

For example, Google requires multi-factor authentication for its accounts, as do many companies. Therefore, credential harvesting techniques will evolve to bypass these protections. It is therefore important to adapt simulations to the attacks that your employees may face.

If email is no longer used tomorrow, hackers will still find new communication channels to attempt manipulation of employees.

On the other hand, practical training is essential: theory does not always transfer to manipulation situations where psychological levers are used to modify the employee's response patterns. In such cases, employees are not able to use their theoretical knowledge to thwart attacks.


Assessing the risk posed by phishing is extremely important in order to begin to control it.

Measuring the return on investment of your actions is crucial, otherwise it is not only a waste of time but also an uncontrolled risk.

That is why a realistic simulation remains the best way to assess your company's exposure to phishing.

Protection systems will never be able to filter out threats 100%. Therefore, implementing a comprehensive awareness program to train your employees is necessary.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.