facebook linkedin twitter

Computerware Blog

Is It Fair to Be Fired for Falling for a Phishing… Test?

Is It Fair to Be Fired for Falling for a Phishing… Test?

Let’s run through a quick scenario: your company’s computing infrastructure is infected with ransomware. Fortunately, you have an offsite backup, so you are able to restore your systems without too much trouble, other than the time you’ve lost. As you investigate the root cause, you discover that one of your employees allowed the ransomware in by falling for a phishing email. So, do you fire them?

Now, what if the whole situation was actually just a test, with you pulling the strings? Do you fire them then?

If the concept of terminating someone for falling for a simulated phishing attempt doesn’t sit with you quite right, you're not alone. Many cybersecurity and phishing experts feel the same way.

What Is the Purpose of a Phishing Test?

Let’s consider why you would want to run a phish test in the first place.

Naturally, you want your business to be as secure as possible -- that only makes sense, especially given how prevalent threats are nowadays. Between January 1, 2005 and April 18, 2018, there were 8,854 reported breaches. This averages out to almost two every day - and again, these are just the breaches that were reported. Who knows how many companies managed to sweep their security failings under the rug, or simply shut their doors without explanation?

Your security only becomes more crucial when you consider how effective a tool phishing has proven to be for cybercriminals, and how prevalent these attacks are. While only 1.2 percent of all global email is seen as suspicious, that’s still a worldwide total of at least 3.4 billion phishing messages sent every day.

Furthermore, except in the case of spear phishing, phishing attempts take relatively little effort for a cybercriminal to put together (part of the reason that they are so common). Spear phishing is arguably more dangerous, as these targeted attacks require the cybercriminal to do some research and customize their attack to their target, which makes their attempt much more convincing.

So, with phishing attacks becoming so common, it is extremely important that your staff is able to identify them. Hence phishing tests, which allow you to evaluate your staff’s present abilities in a simulated scenario. Take note: phishing tests are designed to evaluate abilities, not competencies, which is an important distinction to observe while examining the prospect of firing employees who fail phishing tests.

What Some Companies Do (And What Security Experts Think)

Some companies out there demonstrate a very low tolerance for failed phishing tests. This is especially true in the financial industry, but that is the outlier among all industries, and for reasons that are pretty understandable. However, there are those companies that will terminate employees who fail too many (however many that may be) of these evaluations. Others will launch these attacks for the sake of keeping their employees on their toes.

Unfortunately for these companies, what they fail to realize is that these kinds of behaviors will do nothing to improve their security. Sure, firing someone who has a hard time recognizing a phishing email means that individual won’t subject your company to that particular threat, but who’s to say that the next person hired will be able to recognize them any more consistently? Can the rest of your staff actually absorb that employee’s responsibilities? Not to mention, just firing someone will do nothing to actually educate them on phishing, which means that another business (that could very well have some of your information on file) might be the next to hire that employee, and could find themselves breached as a result.

You also need to consider the stress that this puts on your employees, demoralizing them and making them resentful toward you -- the employer who keeps trying to catch them in a mistake without any constructive follow-up provided. 

Finally, think about how the threat of consequences might influence an employee’s decisions. Many solutions offer the option to report suspected phishing, and many employees (even if they’ve already clicked on the link) will still report them. At least, that’s what should happen… but if there are consequences that may come back to them for their mistake, they lose the motivation to report it. Why would they open themselves up to suspicion when their job could be on the line?

In short, your employees won’t trust you enough to tell you the truth.

How to Approach Phishing Tests Instead

Surprising your staff with an unannounced phishing test is an okay thing to do, as long as it is accompanied by a review of the results and follow-up training to help them improve, rather than a pink slip.

There’s also a lot to be said about leveraging positive reinforcement after a phishing test, rather than focusing on the negative. Rewarding the department that performs the best with a small bonus or gift cards will motivate everyone to be more vigilant, as there is a potential reward at stake for doing well. However, if you really want to hammer home the real-world consequences of phishing, gamification can be an effective way to do so while still motivating your employees. Rather than the carrot of a gift card, you could give the lowest-scoring team some kind of stick--like the responsibility of buying lunch for the rest of the team one day. While this will still sting, it is less extreme than termination and better communicates the actual consequences of phishing.

If you need help running a phishing test, reach out to Computerware. We can help advise you and your team on how to avoid phishing scams and other security risks by identifying them before it is too late. Give us a call at (703) 821-8200 to learn more.

7 IT Myths We Hear Too Often
Tip of the Week: Speed Up Your Computing with Wind...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, October 18, 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Privacy Cloud Internet Business Computing Software Business Management Hackers Data Hardware Microsoft Backup Workplace Tips Network Security Managed Service Provider Productivity Hosted Solutions Business Email Malware IT Services Saving Money Efficiency Computer IT Support Google User Tips Productivity Innovation Small Business Smartphones Mobile Devices VoIP Quick Tips Microsoft Office Business Continuity Data Backup Gadgets Social Media Collaboration communications Data Recovery Disaster Recovery IT Support Android Network Upgrade Mobile Office Server Communication Virtualization Mobile Device Management Smartphone Miscellaneous Phishing Cybersecurity Ransomware Tech Term Windows 10 Windows Outsourced IT Operating System Holiday Vendor Management Unified Threat Management Apps Facebook Automation Managed IT Services Passwords Remote Monitoring Analytics Users BYOD Remote Computing Managed IT services Mobile Computing BDR Internet of Things WiFi Mobile Device History Artificial Intelligence Apple Marketing The Internet of Things Data Management Browser Save Money Firewall Help Desk Alert App Big data Two-factor Authentication IT Consultant Cloud Computing Encryption Spam Office 365 Training Maintenance Printer Bring Your Own Device Antivirus Gmail Bandwidth Business Technology Health Office Cybercrime Content Filtering Information Technology Windows 10 Going Green Hard Drives Budget Virus Tech Support Wireless Technology Computers Saving Time Search VPN Managed Service Managed IT Government Employer-Employee Relationship Lithium-ion Battery Best Practice Outlook Windows 8 Cost Management Information Hiring/Firing Healthcare Access Control Customer Service It Management Travel Blockchain Education Recovery Phone System Update Retail Hacking Networking IBM Money Document Management Humor PowerPoint SaaS Running Cable Proactive IT File Sharing Administration Hard Drive Law Enforcement Applications Twitter Intranet Mobility Website Patch Management Compliance Avoiding Downtime Data Loss Data storage Current Events Risk Management iPhone Password Value Legal Save Time Hacker Downtime Regulations Augmented Reality Company Culture Sports Computing Computer Repair Vendor Disaster User End of Support Social Networking Hosted Solution Social Robot Windows 7 Wireless Data Security Securty Google Maps DDoS Storage Solid State Drive Social Engineering Flexibility Scam Black Market Cryptocurrency Word Monitoring Data Breach Laptop Business Intelligence Private Cloud Cortana Business Growth Digital Payment Project Management Excel Digital Telephony Fax Server Websites Router Management Customer Relationship Management Machine Learning Comparison Tablet Paperless Office Vulnerabilities Telephone Systems Presentation Gaming Console Cooperation Software as a Service Unified Communications Settings Trending Public Cloud Licensing Uninterrupted Power Supply Mouse Specifications Safety Text Messaging Vulnerability Virtual Desktop Webcam Processor Bitcoin Programming Identity Theft Statistics IT service Network Congestion Documents Data Protection Distribution Entertainment Teamwork Heating/Cooling Politics Virtual Reality Downloads Emails Bluetooth Streaming Media Conferencing Automobile Inbound Marketing Chromebook User Error Voice over Internet Protocol Redundancy Computing Infrastructure Co-managed IT Hack Pain Points Memory How To eWaste Google Docs Net Neutrality Evernote Experience Chrome Download Monitors Virtual Assistant Cleaning Wi-Fi Lifestyle Office Tips Telephone Processors Start Menu Tech Terms Computer Accessories Microchip Taxes YouTube Distributed Denial of Service USB Managed IT Service Mobile Technology Device security MSP Employer Employee Relationship IP Address Microsoft Excel G Suite Bookmark Computer Care Micrsooft LinkedIn Application Harddrive Google Play Telephone Service Google Drive Windows Server 2008 Nanotechnology Social Network Human Resources Employer/Employee Relationships Debate Drones Desktop Finance Hacks Microserver Physical Security Mobile Payment Skype Startup Asset Tracking Relocation Tablets GPS Microsoft 365 Archive Business Cards Service Level Agreement Banking Botnet Managing Costs Spyware Username Get More Done Medical IT Permissions Language Unified Threat Management Backup and Disaster Recovery Sync External Harddrive Browsers Electricity Printing Digital Signature Security Cameras Threats Point of Contact Screen Reader Customer Resource management Printer Server User Tip Proactive Maintenance Gamification Notifications Turn Key CCTV cache Television switches Writing Smart Tech Trojan Reliable Computing 3D Solutions Ebay Music Piracy Upload Business Metrics Computer Malfunction Navigation Thin CLient Virtual Machine HTML Professional Services Fiber-Optic Database Organize In Internet of Things Smart Phones Data Analysis Employees WannaCry Upgrades GDPR Time Management Freedom of Information LiFi Analytic Telephone System PDF SQL Server Corporate Profile Recycling Mobile Security Leadership Hypervisor Assessment SharePoint Product Reviews Multi-Factor Security Cost Scalability Adminstration Integration Pirating Information Software License Trends Motion Sickness Best Available Keyboard Tech Devices Messenger Tracking Domains Tip of the week Work/Life Balance Read Fraud Tactics Fileless Malware Hybrid Cloud Google Calendar Deep Learning Rental Service Meetings Public Speaking Modem Touchscreen News Visible Light Communication Webinar Proxy Server Azure VoIP UTM Content Term Managed Services Provider Consultation IT consulting Legislation Error Cabling Electronic Medical Records Transportation Knowledge Device Management IT Plan Enterprise Resource Planning Web Server Shortcut Business Managemenet Accountants A.I. Books Workers Troubleshooting Recording Content Management email scam Addiction Administrator Entrepreneur Directions Display Technology Tips Supercomputer HIPAA Upselling SSID Fake News Advertising Flash Environment Dark Web Free Resource Audit CIO Multi-factor Authentication Processing Managed Services Data Warehousing Windows XP Wireless Headphones Worker Electronic Payment Health IT Employee/Employer Relationship Video Surveillance Staffing Google Wallet online Currency Migration Connected Devices Competition Displays Equifax Fleet Tracking Best Practives Reading Samsung Business Owner Logistics Emergency Hard Drive Disposal Society Network Management Saving ZTime Wasting Time Access Personal Information Productuvuty Financial Printers Managing Stress Regulation CrashOverride 3D Printing Capital

toner1