facebook linkedin twitter

Computerware Blog

Is It Fair to Be Fired for Falling for a Phishing… Test?

Is It Fair to Be Fired for Falling for a Phishing… Test?

Let’s run through a quick scenario: your company’s computing infrastructure is infected with ransomware. Fortunately, you have an offsite backup, so you are able to restore your systems without too much trouble, other than the time you’ve lost. As you investigate the root cause, you discover that one of your employees allowed the ransomware in by falling for a phishing email. So, do you fire them?

Now, what if the whole situation was actually just a test, with you pulling the strings? Do you fire them then?

If the concept of terminating someone for falling for a simulated phishing attempt doesn’t sit with you quite right, you're not alone. Many cybersecurity and phishing experts feel the same way.

What Is the Purpose of a Phishing Test?

Let’s consider why you would want to run a phish test in the first place.

Naturally, you want your business to be as secure as possible -- that only makes sense, especially given how prevalent threats are nowadays. Between January 1, 2005 and April 18, 2018, there were 8,854 reported breaches. This averages out to almost two every day - and again, these are just the breaches that were reported. Who knows how many companies managed to sweep their security failings under the rug, or simply shut their doors without explanation?

Your security only becomes more crucial when you consider how effective a tool phishing has proven to be for cybercriminals, and how prevalent these attacks are. While only 1.2 percent of all global email is seen as suspicious, that’s still a worldwide total of at least 3.4 billion phishing messages sent every day.

Furthermore, except in the case of spear phishing, phishing attempts take relatively little effort for a cybercriminal to put together (part of the reason that they are so common). Spear phishing is arguably more dangerous, as these targeted attacks require the cybercriminal to do some research and customize their attack to their target, which makes their attempt much more convincing.

So, with phishing attacks becoming so common, it is extremely important that your staff is able to identify them. Hence phishing tests, which allow you to evaluate your staff’s present abilities in a simulated scenario. Take note: phishing tests are designed to evaluate abilities, not competencies, which is an important distinction to observe while examining the prospect of firing employees who fail phishing tests.

What Some Companies Do (And What Security Experts Think)

Some companies out there demonstrate a very low tolerance for failed phishing tests. This is especially true in the financial industry, but that is the outlier among all industries, and for reasons that are pretty understandable. However, there are those companies that will terminate employees who fail too many (however many that may be) of these evaluations. Others will launch these attacks for the sake of keeping their employees on their toes.

Unfortunately for these companies, what they fail to realize is that these kinds of behaviors will do nothing to improve their security. Sure, firing someone who has a hard time recognizing a phishing email means that individual won’t subject your company to that particular threat, but who’s to say that the next person hired will be able to recognize them any more consistently? Can the rest of your staff actually absorb that employee’s responsibilities? Not to mention, just firing someone will do nothing to actually educate them on phishing, which means that another business (that could very well have some of your information on file) might be the next to hire that employee, and could find themselves breached as a result.

You also need to consider the stress that this puts on your employees, demoralizing them and making them resentful toward you -- the employer who keeps trying to catch them in a mistake without any constructive follow-up provided. 

Finally, think about how the threat of consequences might influence an employee’s decisions. Many solutions offer the option to report suspected phishing, and many employees (even if they’ve already clicked on the link) will still report them. At least, that’s what should happen… but if there are consequences that may come back to them for their mistake, they lose the motivation to report it. Why would they open themselves up to suspicion when their job could be on the line?

In short, your employees won’t trust you enough to tell you the truth.

How to Approach Phishing Tests Instead

Surprising your staff with an unannounced phishing test is an okay thing to do, as long as it is accompanied by a review of the results and follow-up training to help them improve, rather than a pink slip.

There’s also a lot to be said about leveraging positive reinforcement after a phishing test, rather than focusing on the negative. Rewarding the department that performs the best with a small bonus or gift cards will motivate everyone to be more vigilant, as there is a potential reward at stake for doing well. However, if you really want to hammer home the real-world consequences of phishing, gamification can be an effective way to do so while still motivating your employees. Rather than the carrot of a gift card, you could give the lowest-scoring team some kind of stick--like the responsibility of buying lunch for the rest of the team one day. While this will still sting, it is less extreme than termination and better communicates the actual consequences of phishing.

If you need help running a phishing test, reach out to Computerware. We can help advise you and your team on how to avoid phishing scams and other security risks by identifying them before it is too late. Give us a call at (703) 821-8200 to learn more.

7 IT Myths We Hear Too Often
Tip of the Week: Speed Up Your Computing with Wind...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, August 19, 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Privacy Internet Cloud Business Computing Software Business Management Hackers Data Hardware Microsoft Workplace Tips Backup Managed Service Provider Productivity Network Security Business Hosted Solutions Email Malware Saving Money IT Services Efficiency Computer IT Support Google User Tips Innovation Productivity Small Business Smartphones Mobile Devices Quick Tips Microsoft Office Business Continuity Gadgets VoIP Social Media Network Android Collaboration Data Backup Disaster Recovery Data Recovery IT Support Upgrade Mobile Office Server Virtualization Communication communications Mobile Device Management Smartphone Miscellaneous Phishing Ransomware Windows 10 Windows Tech Term Cybersecurity Facebook Operating System Unified Threat Management Vendor Management Holiday Remote Monitoring Passwords Apps Automation BYOD Users Remote Computing Managed IT services Mobile Computing Analytics WiFi BDR Mobile Device Outsourced IT Internet of Things Artificial Intelligence Managed IT Services Apple Data Management The Internet of Things Marketing History Browser Save Money Firewall Alert App Cloud Computing Encryption Big data IT Consultant Spam Office 365 Help Desk Two-factor Authentication Gmail Bandwidth Business Technology Office Maintenance Printer Content Filtering Windows 10 Health Going Green Bring Your Own Device Antivirus VPN Search Government Managed IT Virus Employer-Employee Relationship Cybercrime Tech Support Lithium-ion Battery Best Practice Information Technology Cost Management Hiring/Firing Training Hard Drives Budget Wireless Technology Outlook Windows 8 Saving Time Computers It Management Travel Managed Service Blockchain Education Recovery Update Networking Hacking Phone System Information IBM Money Document Management Healthcare Access Control Customer Service Law Enforcement Applications Hard Drive Twitter Intranet Humor Compliance Mobility Website Data Loss Data storage Avoiding Downtime iPhone Risk Management Value Password Legal Save Time Downtime Regulations Current Events Augmented Reality PowerPoint Proactive IT SaaS Running Cable File Sharing Administration Securty Windows 7 Wireless Data Security Google Maps DDoS Storage Patch Management Solid State Drive Social Engineering Flexibility Scam Black Market Word Retail Cryptocurrency Data Breach Laptop Business Intelligence Private Cloud Cortana Business Growth Excel Digital Digital Payment Project Management Telephony Hacker Websites Router Management Customer Relationship Management Machine Learning Telephone Systems Comparison Tablet Paperless Office Vulnerabilities Sports Company Culture User Computing Computer Repair Disaster End of Support Social Networking Hosted Solution Fax Server Robot Social IT service Network Congestion Documents Data Protection Teamwork Heating/Cooling Distribution Entertainment Downloads Politics Virtual Reality Emails Bluetooth Streaming Media Conferencing Automobile Inbound Marketing Chromebook Voice over Internet Protocol Redundancy Computing Infrastructure Hack Google Docs Net Neutrality Pain Points Memory Monitoring How To eWaste Chrome Download Evernote Experience Monitors Virtual Assistant Cleaning Office Tips Computer Accessories Microchip Taxes Processors Start Menu Tech Terms Distributed Denial of Service USB Mobile Technology User Error YouTube Co-managed IT Trending Presentation Gaming Console Cooperation Software as a Service Unified Communications Settings Mouse Public Cloud Vendor Uninterrupted Power Supply Virtual Desktop Webcam Processor Specifications Safety Text Messaging Vulnerability Lifestyle Statistics Bitcoin Programming Identity Theft Gamification Notifications CCTV Digital Signature Security Cameras Point of Contact Screen Reader Customer Resource management User Tip Proactive Maintenance Piracy Upload Business Metrics Computer Malfunction Navigation Thin CLient cache Television Best Practives switches Writing Smart Tech Reliable Computing 3D Solutions Ebay Music Smart Phones Data Analysis Employees WannaCry Upgrades HTML Professional Services Fiber-Optic Database In Internet of Things Microserver Recycling Mobile Security GDPR Time Management Freedom of Information LiFi Analytic Telephone System PDF SQL Server Corporate Profile Software License Trends Motion Sickness Best Available Keyboard Tech Leadership Assessment SharePoint Product Reviews Multi-Factor Security Cost Scalability Adminstration Integration Pirating Information Fileless Malware Hybrid Cloud Google Calendar Get More Done Deep Learning Devices Messenger Tracking Domains Tip of the week Work/Life Balance Read Fraud Tactics VoIP Turn Key UTM Content Rental Service Meetings Public Speaking Modem Touchscreen News Printer Server Visible Light Communication Proxy Server Azure IT Plan Enterprise Resource Planning Web Server Shortcut Term Consultation Trojan IT consulting Legislation Error Cabling Electronic Medical Records Transportation Knowledge Device Management Administrator Entrepreneur Directions Display Technology Tips Business Managemenet Accountants A.I. Books Workers Troubleshooting Recording Organize Content Management email scam Addiction Wi-Fi Free Resource Audit CIO Multi-factor Authentication Supercomputer HIPAA Upselling SSID Fake News Advertising Flash Environment Dark Web online Currency Migration Connected Devices Competition Processing Data Warehousing Windows XP Wireless Headphones Telephone Worker Electronic Payment Health IT Employee/Employer Relationship Video Surveillance Staffing Google Wallet Managed IT Service Saving ZTime Wasting Time Access Displays Equifax Fleet Tracking Reading Samsung Business Owner Logistics Emergency Hard Drive Disposal Society Network Management Bookmark Computer Care Micrsooft LinkedIn Device security MSP Employer Employee Relationship IP Address Microsoft Excel Webinar G Suite Drones Desktop Finance Hacks Physical Security Application Harddrive Google Play Google Drive Windows Server 2008 Nanotechnology Social Network Licensing Human Resources Employer/Employee Relationships Debate Service Level Agreement Banking Botnet Managing Costs Spyware Mobile Payment Skype Startup Asset Tracking Relocation Tablets GPS Microsoft 365 Archive Business Cards External Harddrive Browsers Electricity Printing Username Medical IT Permissions Language Unified Threat Management Backup and Disaster Recovery Sync Virtual Machine Managing Stress Printers Hypervisor CrashOverride Regulation 3D Printing Capital Personal Information Productuvuty Financial

toner1