- YES - 20%
- NO - 16%
- Depends on the circumstances 60%
- Other 4%
The second and last question asked for the rationale behind their answer. I read them all, and the vast majority agreed that it should be driven by a fairly standard approach you might call "increasingly severe consequences". Here are three quotes:"If this is the first time the employee fell for a phishing attack then I would not necessarily fire them. But if they repeatedly click bad links or if they violated other policy or checks-and-balances when they released the W-2 info then I would probably fire them."
"If the organization is updating their personnel on the latest phishing scams and best practices, and the employee does not follow those general guidelines - they most likely should be fired. However, if the phishing scam is unknown, or the organization has not been diligently warning their employees about known phishing scams and threats, the employer is to blame and the employee should not be fired."
"All employees are responsible for the safety and security of company data and more importantly, CLIENT data. This is about Alpha PAYROLL. A company where the compromising of personal data could well be an existential threat if employees have received training on watching out for phishing attacks, a firing is not out of line. If the company did not train employees on phishing attacks, then perhaps an executive who should have overseen such training should be fired."
One thing is clear, effective security awareness training is a must these days. You can start with a baseline test, to find out what the phish-prone percentage of your employees is. Often higher than expected, but great ammo to get budget. There is no cost for this Phishing Security Test.