Compliance Benefits

A core focus of ISO 27001 is managing information security risks, and our simulations are a valuable tool to directly address this by uncovering vulnerabilities during phishing attacks. Regularly conducting these simulations and measuring the results over time allows companies to demonstrate continuous improvement in their security policies and training, fulfilling a key requirement of ISO 27001.

Additionally, ISO 27001 mandates that companies provide employees with information security awareness training to foster a security-conscious culture. Our simulations and supplementary educational webinars serve as practical training exercises, reinforcing security awareness, educating employees on how to recognise and respond to phishing attempts, and ultimately increasing their confidence in handling such situations.

Conducting phishing simulations is increasingly vital for organisations seeking to comply with the PCI-DSS, especially with the advancements in PCI-DSS 4.0. 

PCI DSS 4.0 places an emphasis on the importance of security awareness training, specifically addressing phishing and social engineering attacks. Our simulations provide interactive, hands-on training that goes beyond theoretical knowledge, helping employees recognise and respond to phishing attempts, which reduces the likelihood of successful attacks that could compromise cardholder data. By helping reduce the risk of successful phishing attacks, and by increasing security awareness, simulations significantly contribute to improving the overall security posture of the organisation. 

PCI-DSS 4.0 also mandates the implementation of automated anti-phishing protection mechanisms. Phishing simulations complement these technical controls by assessing the effectiveness of human defences and identifying vulnerabilities in the event of an attack. 

PCI-DSS requires organisations to conduct regular risk assessments. Phishing simulations contribute to these assessments by identifying the human vulnerabilities to social engineering attacks, allowing organisations to provide targeted interventions. Conducting regular simulations demonstrates an organisation’s commitment to security and due diligence, which is essential for PCI DSS compliance. 

The SWIFT network is vital for global financial transactions. Social engineering attacks such as phishing pose significant threats to the financial industry, making the conducting of simulation campaigns an important element of SWIFT CSP compliance.

Phishing simulations provide workforces practical training that provides social engineering security awareness, enabling employees to recognise and respond to cybercriminals’ attempts to steal credentials or gain unauthorised access to SWIFT-related systems. Therefore, phishing simulations are an important tool in adhering to SWIFT CSP compliance, by providing practical training that strengthens social engineering security awareness and prevents the theft of credentials. 

While Cyber Essentials is centred around technical controls, it still recognises that human error is a significant factor in cybersecurity breaches, and as such, user awareness is an important element. There is an expectation that employees are aware of cybersecurity threats, with phishing attacks being one of the main methods of attack they might face in the current cyber landscape. Therefore, conducting simulations is an excellent way to demonstrate that an organisation is working to improve the cybersecurity awareness of its employees, as well as identifying those who are vulnerable and may require further training. 

Phishing simulations reinforce the importance of security best practices and contribute to the overall security posture of an organisation, complementing the technical controls mandated by Cyber Essentials. The Echo Secure AI Portal provides invaluable trend analysis to measure the progress of security measures over time. Thus, simulations are a valuable tool in demonstrating adherence to the user awareness aspect of Cyber Essentials.

Phishing simulations align with CIS controls in regards to creating security awareness within organisations and employee training, safeguarding against one of the most prevalent forms of cyber attack. 

CIS Control 14: Security Awareness and Skills Training
This control emphasises the importance of educating the workforce on security best practices, including recognising and avoiding phishing attacks. Our simulations provide practical training that helps employees how to identify and respond to phishing attacks, and understand the risks associated with clicking malicious links or opening suspicious attachments. By conducting regular simulations, organisations can track the progress of their training programmes and demonstrate measurable improvement in security awareness. 

CIS Control 8: Reducing the Risk of Malware Infections
Phishing attacks are common methods for malware delivery. By training employees to avoid these attacks through regular simulation campaigns, organisations can reduce the likelihood of malware infections, thus mitigating their risk.

CIS Control 5: Strengthening Access Control
Phishing attacks are often used to steal credentials by deceiving individuals into divulging sensitive information, compromising access control measures. Training employees how to spot and deal with such attacks through regular simulations helps prevent credential theft. 

PAS 555, ‘Cyber Security Risk - Governance and Management - Specification,’ is a BSI framework for managing cybersecurity risk, emphasising the importance of building a culture of cybersecurity. Phishing simulations contribute to this by raising awareness of cybersecurity threats among employees, encouraging employees to be vigilant and report suspicious activity, and promoting a culture of continuous improvement in cybersecurity practices. Organisations need to identify, assess and manage their cybersecurity risks. Conducting these simulations measures the effectiveness of existing security controls and training, and identifies vulnerabilities in the workforce that could be exploited by cybercriminals. This enables organisations to prioritise risk mitigation efforts. 

PAS 555 also focuses on the governance and management of cybersecurity risk, which is supported by phishing simulation assessments highlighting the effectiveness of cybersecurity programmes and the capability of employees to detect cyber threats. These help organisations demonstrate due diligence to stakeholders and enable the development of security policies and processes. Therefore, phishing simulations are an important tool in adhering to PAS 555 guidelines, by strengthening cybersecurity culture and aiding in risk management.

COBIT provides a framework which emphasises the importance of aligning IT governance with business goals. Phishing simulations reduce the risk of security breaches, helping organisations protect crucial assets and stakeholder trust. By addressing the human element of security, these simulations promote a security-aware culture across the organisation. They provide data that can be used for governance in risk assessments and for management, integrating simulations into existing security awareness programmes.

Regular simulations enable performance measurement as employee vulnerability is monitored over time, demonstrating the effectiveness of security awareness training. Therefore, phishing simulations are an important tool in aligning to COBIT principles, by promoting security risk management and providing data for governance.

The NIS2 Directive is designed to bolster cybersecurity across the European Union (EU), particularly for critical entities. A key focus of the directive is on strengthening organisational resilience against cyber threats, which is where phishing simulations are highly relevant.

NIS2 places a strong emphasis on risk management, requiring organisations to implement appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. This includes addressing risks caused by human vulnerabilities, which is a significant factor in many cyberattacks. Phishing simulations can help organisations assess their risk to social engineering attacks, enabling them to implement targeted mitigation measures, such as enhanced training and security policies. 

NIS2 mandates that organisations provide regular cybersecurity awareness training to their workforce. Phishing simulations are highly effective training tools as they provide realistic scenarios that help employees learn to recognise and respond to social engineering attacks, a strong component of a good security posture. Therefore, phishing simulations are an important tool for organisations to comply with the NIS2 Directive by strengthening risk management and providing valuable cybersecurity awareness training.

Phishing simulations play a crucial role in helping European Union (EU) organisations comply with DORA, addressing the human element of cybersecurity.  DORA requires financial entities to establish a comprehensive ICT risk management framework. Simulation campaigns help organisations assess and mitigate risks related to human vulnerabilities, which are a key source of cyber incidents in the modern cyber landscape. 

Phishing simulation campaigns complement the DORA mandated threat-led penetration testing, assessing employees’ response to social engineering attacks, which are often used in conjunction with technical exploits. 

The EBA promotes the importance of a vigorous ICT risk management framework, which phishing simulations are crucial to. Simulation campaigns identify and assess the risks posed by organisations’ workforce, which gathers data to inform risk assessments and drives mitigation to improve security policies and training.

The guidelines also highlight the need for adequate security awareness and training for personnel. Phishing simulations can complement this through interactive training that educates employees how to recognise and respond to such attacks. Therefore, phishing simulations are an important tool in adhering to EBA guidelines, by strengthening ICT risk management and providing valuable cybersecurity awareness training.

The NIST CSF provides a structure for organisations to manage and reduce their cybersecurity risk. Phishing simulations align strongly with several core functions of the NIST CSF, particularly in regards to identifying risks, protecting against threats and detecting incidents. Conducting simulation campaigns can evaluate organisations' workforce on a people level, identifying vulnerabilities in human behaviour and assessing the effectiveness of existing security awareness training. Enhancing training is a key protective measure in reducing the likelihood of successful social engineering attacks that can compromise systems and data. This is achieved by reinforcing best practices for handling emails, phone calls, and other communications. Our live feedback also provides data on employee responses to suspicious emails and calls, testing their ability to detect by analysing report and response times. Therefore, phishing and vishing simulations are an important tool in adhering to NIST CSF guidelines, by identifying risks, protecting against threats and detecting incidents.

NIST SP 800-53, ‘Security and Privacy Controls for Information Systems and Organisations,’ provides a catalogue of security and privacy controls that U.S. federal agencies and other organisations can use to protect their information systems. Phishing simulations are valuable tools for organisations seeking to comply with NIST SP 800-53, particularly in areas related to security awareness and training.  

NIST SP 800-53 emphasises the importance of providing security awareness training to personnel, encouraging “practical exercises [that] include no-notice social engineering attempts.” This directly supports the use of phishing simulations. These offer interactive exercises that reinforce and evaluate security awareness training, helping employees recognise and respond to social engineering attacks. 

NIST SP 800-53 also requires organisations to conduct risk assessments. Phishing simulations are key to understanding the risks posed by cyberattacks, identifying vulnerabilities in workforce responses. Therefore, phishing simulations are an important tool for organisations to adhere to NIST SP 800-53 guidelines, by providing social engineering awareness and response training and aiding in risk assessments.

The GLBA is a U.S. federal law that requires financial institutions to safeguard sensitive data. 

Safeguarding
The GLBA requires financial institutions to develop, implement and maintain a comprehensive information security programme. Phishing  simulations contribute to this by providing insights into the effectiveness of existing security controls and training, identifying vulnerabilities in the workforce that could lead to unauthorised access to Nonpublic Personal Information (NPI). This allows for targeted training and improves security awareness about social engineering threats. 

Pretexting 
GLBA addresses “pretexting,” which involves obtaining NPI through false pretence, directly relating to phishing attacks. Conducting simulations educates employees about pretexting tactics and trains individuals on how to identify and respond to suspicious emails and calls. This reduces the likelihood of them being susceptible to attacks in the real world, thus strengthening the organisation’s defences against social engineering attacks and thereby protecting NPI. Phishing simulations are therefore an important tool in achieving GLBA compliance, by strengthening security programmes and protecting NPI.

The FTC Safeguards Rule mandates that financial institutions develop, implement and maintain a comprehensive information security programme to protect customer information. Phishing simulations contribute to this by risk-assessing the effectiveness of existing security controls and training, pinpointing vulnerabilities in the workforce, and thereby identifying gaps in security controls and awareness that require further mitigations and training. This demonstrates a proactive approach to security and compliance, thus reducing the risk of successful attacks, and protecting sensitive data. As such, phishing simulations are an important tool in adhering to the FTC Safeguards Rule, by risk assessing security controls and identifying security gaps.

NERC CIP standards focus on technical security controls to protect the Critical Cyber Assets (CCAs) of the bulk electric system, and acknowledge that the human element also plays a significant role. Social engineering attacks such as phishing can bypass technical defences, meaning that even with robust technical controls, human error can still compromise these assets. Security awareness training is therefore an essential element to reducing the risk of unauthorised access to CCAs. Phishing simulations enhance security awareness programmes by providing realistic training scenarios and reinforcing the importance of security best practices, preparing employees to be vigilant against social engineering tactics. By strengthening the human element of security, phishing simulations contribute to a more robust overall security posture, which supports the broader goals of NERC CIP.   

HIPAA’s Security Rule mandates that covered entities and business associates implement administrative, physical and technical safeguards to protect electronic protected health information (ePHI). Phishing attacks pose a substantial risk to ePHI as they can lead to unauthorised access to sensitive data, malware infections such as ransomware, and data breaches. Phishing simulations can therefore aid HIPAA compliance by pinpointing vulnerabilities in organisations’ human defences, providing valuable data for risk assessments and enabling the implementation of targeted security measures and training.   

HIPAA further requires covered entities to provide regular security awareness training to their workforce. Phishing simulations provide hands-on training that reinforces best practices and security measures for recognising phishing emails, suspicious phone calls, and other social engineering tactics, and how to report such attacks. Therefore, phishing simulations are an important tool in achieving HIPAA compliance, by strengthening organisations security posture, providing data for risk assessments and fulfilling workforce training requirements.

Produced by the Australian Signals Directorate (ASD), the ISM provides cybersecurity guidance for Australian government organisations. A key element of the ISM is maintaining a risk management framework. Phishing simulations are invaluable tools for identifying and assessing the human-related cybersecurity risks posed by the social engineering attacks, which can lead to data breaches and unauthorised access. 

The ISM also stresses the importance of security awareness training for personnel. Phishing simulations provide hands-on training to help employees recognise phishing emails calls, understand the risks associated with such attacks, and how to report suspicious activity. Simulations can evaluate existing employee awareness of best-practice measures and ensure they understand the importance of them and how to apply them. By incorporating phishing simulations into their security awareness programs, Australian government organisations can enhance their compliance with the ISM and strengthen their overall cybersecurity defences.