It is our position that Simulated Phishing and Security Awareness need to live apart from one another. Organizations who provide the same services under one roof could have a very high level of temptation for colluding.
An organization who has a “Simulated Phishing” first approach not only wants to earn your business, but they want to keep it. What’s the best way to keep it? Show results. Results mean that over time, your “bait takers” take the bait less often.
Think about this- how easy would it be for one of these dual-purposed organizations to conduct a baseline Phishing test, use some of their best and most successful campaign material, and show a high level of penetration? They put on their training hat, teach your employees a few things about security, and then phish them again with a campaign that mirrors the training. What do you get? Simulated Results!
That is not the real world. The exception to this would be those Phishing first organizations who offer training from companies that they aren’t invested in and have an arm’s-length relationship with.
Let’s make a comparison with the Public Accounting Industry. The Sarbanes Oxley Act of 2002 passed a law that further defined “Auditor Independence.” Within this law, the accounting firm who performs your audit cannot be the same firm who prepares your taxes or manages your books. Simulated Phishing is a way of “auditing” your training. Why on earth would the security industry allow the same company to do both? Perhaps one day there will be a law written for this, but for now we should rely on common sense.
Another comparison with deeper relevance would be an I.T. Security audit. You wouldn’t have the I.T. Security company who does your audit be the same company who remediates your deficiencies, and then re-audits you again, would you? Then why would the people who test you be the same people who train you and then test you again. That does not mirror what happens in the real world. Unfortunately, hackers don’t phish you per your training curriculum.
With NINJIO PHISH, we help you select one of our Top Tier Simulated Phishing providers who then connect to our user database through our API. This gives our clients the convenience of maintaining a single user database or leveraging our Single Sign On technologies, while maintaining the ethical wall between the training and Simulated Phishing. Our relationships with our Phishing Partners also allow us to offer their Phishing services at highly discounted rates (due to the volume that we purchase), but that is where the relationship ends.