Firing employees for failing phishing tests can be extremely counterproductive and can damage an organization’s overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.
Companies sometimes think punitive policies will make employees take phishing more seriously, but these policies actually discourage cooperation and openness. It is much more productive to reward desired behavior.
John LaCour, founder and CTO of PhishLabs, told Krebs that punishment isn’t an effective response to failed phishing tests because it makes employees feel they’ve been manipulated.
“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”
In addition to creating an unhealthy work environment, punishing employees for failing phishing tests will have negative repercussions for your organization’s security. When an employee does fall for a phishing email, whether real or simulated, the most important thing they can do is report the incident so that the attack can be mitigated. Rohyt Belani, CEO of Cofense, said that organizations should have training programs that encourage employees to report failed phishing tests.
“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani told Krebs. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”
LaCour says that positive reinforcement and recognition is a key element in improving employees’ phishing resistance. He said that posting the scores for each department’s phishing tests can make employees take the tests seriously and improve cooperation. He added that small rewards and lighthearted penalties, like having the lowest-scoring department buy lunch for everyone, can also help by making it feel like a good-natured competition.
An organization’s employees are its most important assets, and they need to be treated fairly and with respect. New-school security awareness training can build a culture of security within your organization by providing education programs that are effective and make your employees feel valued.
Part of that fair treatment is a published security policy—which hundreds of organizations use today—to create a clean, clear, level playing field with known consequences for repeated click behavior. Here is the Policy Template.
KrebsOnSecurity has the story: https://krebsonsecurity.com/2019/05/should-failing-phish-tests-be-a-fireable-offense/
Free Phish Alert Button
Do your users know what to do when they receive a phishing email? KnowBe4's Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! Phish Alert benefits:
- Reinforces your organization’s security culture
- Users can report suspicious emails with just one click
- Incident Response gets early phishing alerts from users, creating a network of “sensors”
- Email is deleted from the user's inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
Don't like to click on redirected links? Cut & Paste this link in your browser: