How to keep your cybersecurity test from going off the rails

West Midlands Trains learned the hard way that hoaxing your own staff may not be the best PR exercise, but is it an effective way to test cybersecurity resilience?


West Midlands Trains hit headlines after a company-devised phishing test tricked its own employees into believing they were in line for an annual bonus. Rail unions were quick to deride the cybersecurity exercise, describing it as “crass and reprehensible” and a “cynical and shocking stunt”. 

However, the train operating company claimed: “The design of the email was just the sort of thing a criminal organisation would use – and thankfully it was an exercise without the consequences of a real attack.”

According to the most recent figures from the Department for Digital, Culture, Media and Sport, 39% of businesses reported a cybersecurity breach in the 12 months between March 2020 and 2021. Phishing attacks, an email scam that impersonates a trusted entity in a bid to persuade victims to share their personal details, were the most prevalent, accounting for 83% of all cybersecurity breaches on businesses.

Security software provider Check Point’s regional director Ian Porteous believes the current spate of phishing attacks makes this type of test exercise very useful, but adds: “Targeting transportation workers, who have been on the front lines of the pandemic, with a bonus in this way was a miss-step.”

He adds: “While this may well be exactly how the bad guys choose to entice victims, the same awareness message could have been delivered with a less contentious choice of bait.”

Others in the cybersecurity industry failed to see the issue. “I don’t understand why the employees are in a rage about this,” Trend Micro UK technical director Bharat Mistry says. “This phishing test is a very realistic scenario, as cybercriminals know that people are the weakest link when it comes to cyber defence and will always look to exploit the human psyche.

“My view is that this exercise just goes to show how easily people can be duped despite all the media coverage in recent weeks about cyber attacks” 

Careful wording is key

Although the email may have realistically mimicked a cybercriminal, any business hoping to replicate West Midlands Trains should be wary of promising bonuses it has no intention of paying. 

Discreet Law consultant solicitor and employment lawyer Elena Cooper warns that the rail company could be set to “suffer a glut of breach of contract claims”, depending on the wording of its original email.

“There’s a whole argument around contracts, offer and acceptance but, depending on how the email was worded, it could be suggested the employer is formally offering a bonus,” she says. “While I don’t think the employees could win a breach of contract claim, they could certainly argue that a promise has been made and now it is being removed.”

Calling people the weakest link is lazy, it’s a way of trying to put the security burden on end-users

Cooper claims that it would have been far better to use a test that “doesn’t actually bind the employer”. Although a financial incentive is often used in phishing attacks to persuade the recipient to click on a link, she would encourage employers to check any cybersecurity tests with their legal teams first. 

“It could say, ‘Click this link if you want to be considered eligible for a one-off payment’, but it should never involve the employer promising a financial reward,” she adds. “And always bear in mind the detrimental impact any test could have on employee relations.”

How should businesses run phishing tests?

For businesses looking to improve their cybersecurity, the most important ingredient is trust. 

Tessian CEO Tim Sadler, whose IT security company focuses on breaches caused by human error, says: “The fall-out of this exercise has enraged and alienated the company’s employees — the exact opposite reaction you need to build a robust security culture and attitude within an organisation. 

He believes the exercise used by West Midlands Trains “exemplifies one of the main problems with security training today” — treating employees as the problem. “People are trained and then blamed when the wrong decision is made and this ultimately excludes them from being part of the solution,” Sadler adds.

A business must be able to rely on its employees to identify and alert the relevant people if they believe they’ve fallen victim to a cybersecurity breach. By creating tests designed to catch individuals out, it can prevent them from reporting the problem, in case it turns out to be another hoax.

Cygenta co-founder and author of Confident Cyber Security Jessica Barker says: “Cyber criminals don’t need to worry about building long-term trust, morale and confidence with their targets but cybersecurity professionals do. 

“People will always click links in phishing emails, especially if it’s a well-crafted phish. A better test of resilience is to focus on the report rate, rather than the click rate and to address technical defences, for example network segmentation, to stop lateral movement of any attacks. Calling people the weakest link is lazy, it’s a way of trying to put the security burden on end-users.”

Any test of cybersecurity should look to empower individuals to identify the threats, be aware of the consequences and escalate the issue, Barker claims. “The key lesson from this is to put people first. If you’re thinking of phishing tests as a way of catching people out, that’s a trick rather than training. 

“A good security culture builds communication between the security team and the rest of their colleagues. They have to show they are on their colleagues’ side, not treating them as if they are the weakest link.”