Wednesday, October 20, 2021

Registration open for 3rd annual Gone Phishing Tournament

A Canadian training company is accepting reservations for its third annual opportunity for firms to find out how effective their employees’ phishing detection is – or isn’t.

The free Gone Phishing Tournament, run by Laval, Que.,-based Terranova Security and co-sponsored by Microsoft, takes place over five days.

Logo for Gone Phishing Tournament

Held to coincide with Cybersecurity Awareness month in October, it tests how click rates of employees – who don’t know they’ve been registered — compare to those of organizations with similar characteristics, including vertical or industry, size, and geographical location.

Any registered organization around the world can enter. After registering an organization will receive instructions on how to bulk upload its user list directly into the tournament environment.

Staff receive several phishing messages and are quietly graded on their ability to spot tell-tale clues and report suspicious messages, or their willingness to click on what would be a malicious link and fill in possibly damaging personal or corporate information on a fake website.

There is no limit to the number of users an organization can submit. To ensure benchmarking data that are representative of an organization’s click rate reality, a minimum of 25 per cent of a firm’s global employee base is required to participate in the tournament.

The data collected is assembled into a global report to be released later this year with results reported by geography, while participant organizations get a customized report that compares their employees’ performance to those in similar industries.

Last year’s global report found approximately 20 per cent of participants clicked on phishing email links, disappointingly up from 11 per cent in 2019, and 13 per cent submitted passwords on the tournament’s phishing web pages.

This is especially disturbing because most participating firms had already a phishing simulation program in place.

The comparative results are a key output of the tournament, Theo Zafirakos, Terranova Security’s CISO, said in an interview.

“Some participants may already have a [awareness] program in place and phishing simulations but they don’t know how effective it is. Other organizations may not have anything in place and are looking for justification to fund and get management commitment to implement a program.”

It takes both security awareness training and testing for employees to adopt new behavior, Zafirakos said. “Organizations that have a formal program in place have employees with a stronger security culture compared to those who don’t have anything in place.”

“Employers have a responsibility to provide awareness training,” he added. “We give employees access to applications, to systems, digital information, but we don’t always inform them of the risks associated with that. We have the expectation of them to use technological and advanced assets without them being informed of the potential threats they may face.”

Organizations fail in their awareness training by trying to do too much at once, Zafirakos said. Training has to be spread out over time. Another failure is that the material is too technical. Instructors should give staff practical advice on what do to when they face a decision. For example, it’s not enough to say, ‘Don’t click on suspicious links.’ Tell staff what a suspicious link looks like.

Finally, he said, staff shouldn’t fear being punished if they make a mistake.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News