I have been selling security for a long time. And one of the top reasons people don't test their security is fear of what they might find. I have said this before on this BLOG and it isn't new. What I want to focus on in this post is the fear of catching. Some companies don't test their security because they don't want their employees to think they are trying to catch them screwing up. Some people feel this is deceptive. I assure you it is not.
How can you train your users on better security practices until you know how they may react? Let's look at a phishing test for a minute. Phishing, or more accurately spear phishing when talking about business testing, is a way for a business to gauge how their employees will react when someone solicits information from them. This is already happening, and every time we run a test we get very high rates of responses. Yet companies typically never afford this, because they don't know where to start.
Our clients are not trying to catch their employees, they are trying to see what vulnerabilities they have and defend against it. I don't know of one situation in our testing history where an employee was fired from the results of a phishing test.
Not testing is waiting for attacker to catch you with your guard down. Testing is playing offense.