facebook linkedin twitter

Computerware Blog

Is It Fair to Be Fired for Falling for a Phishing… Test?

Is It Fair to Be Fired for Falling for a Phishing… Test?

Let’s run through a quick scenario: your company’s computing infrastructure is infected with ransomware. Fortunately, you have an offsite backup, so you are able to restore your systems without too much trouble, other than the time you’ve lost. As you investigate the root cause, you discover that one of your employees allowed the ransomware in by falling for a phishing email. So, do you fire them?

Now, what if the whole situation was actually just a test, with you pulling the strings? Do you fire them then?

If the concept of terminating someone for falling for a simulated phishing attempt doesn’t sit with you quite right, you're not alone. Many cybersecurity and phishing experts feel the same way.

What Is the Purpose of a Phishing Test?

Let’s consider why you would want to run a phish test in the first place.

Naturally, you want your business to be as secure as possible -- that only makes sense, especially given how prevalent threats are nowadays. Between January 1, 2005 and April 18, 2018, there were 8,854 reported breaches. This averages out to almost two every day - and again, these are just the breaches that were reported. Who knows how many companies managed to sweep their security failings under the rug, or simply shut their doors without explanation?

Your security only becomes more crucial when you consider how effective a tool phishing has proven to be for cybercriminals, and how prevalent these attacks are. While only 1.2 percent of all global email is seen as suspicious, that’s still a worldwide total of at least 3.4 billion phishing messages sent every day.

Furthermore, except in the case of spear phishing, phishing attempts take relatively little effort for a cybercriminal to put together (part of the reason that they are so common). Spear phishing is arguably more dangerous, as these targeted attacks require the cybercriminal to do some research and customize their attack to their target, which makes their attempt much more convincing.

So, with phishing attacks becoming so common, it is extremely important that your staff is able to identify them. Hence phishing tests, which allow you to evaluate your staff’s present abilities in a simulated scenario. Take note: phishing tests are designed to evaluate abilities, not competencies, which is an important distinction to observe while examining the prospect of firing employees who fail phishing tests.

What Some Companies Do (And What Security Experts Think)

Some companies out there demonstrate a very low tolerance for failed phishing tests. This is especially true in the financial industry, but that is the outlier among all industries, and for reasons that are pretty understandable. However, there are those companies that will terminate employees who fail too many (however many that may be) of these evaluations. Others will launch these attacks for the sake of keeping their employees on their toes.

Unfortunately for these companies, what they fail to realize is that these kinds of behaviors will do nothing to improve their security. Sure, firing someone who has a hard time recognizing a phishing email means that individual won’t subject your company to that particular threat, but who’s to say that the next person hired will be able to recognize them any more consistently? Can the rest of your staff actually absorb that employee’s responsibilities? Not to mention, just firing someone will do nothing to actually educate them on phishing, which means that another business (that could very well have some of your information on file) might be the next to hire that employee, and could find themselves breached as a result.

You also need to consider the stress that this puts on your employees, demoralizing them and making them resentful toward you -- the employer who keeps trying to catch them in a mistake without any constructive follow-up provided. 

Finally, think about how the threat of consequences might influence an employee’s decisions. Many solutions offer the option to report suspected phishing, and many employees (even if they’ve already clicked on the link) will still report them. At least, that’s what should happen… but if there are consequences that may come back to them for their mistake, they lose the motivation to report it. Why would they open themselves up to suspicion when their job could be on the line?

In short, your employees won’t trust you enough to tell you the truth.

How to Approach Phishing Tests Instead

Surprising your staff with an unannounced phishing test is an okay thing to do, as long as it is accompanied by a review of the results and follow-up training to help them improve, rather than a pink slip.

There’s also a lot to be said about leveraging positive reinforcement after a phishing test, rather than focusing on the negative. Rewarding the department that performs the best with a small bonus or gift cards will motivate everyone to be more vigilant, as there is a potential reward at stake for doing well. However, if you really want to hammer home the real-world consequences of phishing, gamification can be an effective way to do so while still motivating your employees. Rather than the carrot of a gift card, you could give the lowest-scoring team some kind of stick--like the responsibility of buying lunch for the rest of the team one day. While this will still sting, it is less extreme than termination and better communicates the actual consequences of phishing.

If you need help running a phishing test, reach out to Computerware. We can help advise you and your team on how to avoid phishing scams and other security risks by identifying them before it is too late. Give us a call at (703) 821-8200 to learn more.

7 IT Myths We Hear Too Often
Tip of the Week: Speed Up Your Computing with Wind...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, July 12, 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.cwit.com/

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Business Computing Privacy Internet Cloud Software Hackers Data Business Management Hardware Microsoft Workplace Tips Network Security Backup Managed Service Provider Hosted Solutions Business Productivity Productivity Email Malware IT Services Saving Money Efficiency Google Computer Small Business User Tips Innovation Collaboration VoIP IT Support Data Backup IT Support Quick Tips Smartphones Mobile Devices communications Network Business Continuity Microsoft Office Gadgets Social Media Cybersecurity Data Recovery Disaster Recovery Android Upgrade Communication Mobile Office Server Phishing Virtualization Smartphone Miscellaneous Mobile Device Management Ransomware Vendor Management Holiday Windows Windows 10 Managed IT Services Tech Term Outsourced IT Passwords Operating System Apps Users Mobile Device Internet of Things Remote Monitoring Facebook Unified Threat Management BDR Automation Managed IT services Analytics Data Management BYOD Remote Computing Mobile Computing Apple WiFi Windows 10 The Internet of Things Training History Cloud Computing Artificial Intelligence Marketing Browser Save Money Firewall Encryption Spam Help Desk Business Technology Alert App Big data Information Technology Health IT Consultant Office Office 365 Bandwidth Two-factor Authentication Gmail Maintenance Going Green Printer Government Hard Drives Access Control Cybercrime Bring Your Own Device Windows 7 Antivirus Budget Managed IT Content Filtering Lithium-ion Battery Best Practice Tech Support Virus Recovery Hiring/Firing Information Employer-Employee Relationship Retail Healthcare Wireless Technology Computers Saving Time VPN Cost Management Search Windows 8 Outlook Managed Service Humor Money IBM Document Management Networking Augmented Reality Phone System Data Security It Management Hacking Blockchain Computing Travel Education Data Loss Update Remote Work iPhone Project Management Customer Service Save Time Flexibility Wireless Downtime Storage Website Customer Relationship Management Legal Computer Repair Running Cable File Sharing Proactive IT PowerPoint Regulations Hard Drive Value Voice over Internet Protocol Password Current Events Administration Mobility Patch Management Hacker Intranet SaaS Twitter Applications Law Enforcement Avoiding Downtime Conferencing Data Breach Risk Management Compliance Solid State Drive Data storage Vendor Covid-19 Monitoring Machine Learning Digital Payment Websites Black Market Telephone Systems Router DDoS Cryptocurrency Excel Laptop Management Comparison Tablet Software as a Service Business Growth Company Culture Vulnerabilities Word Social Networking Cortana Google Maps Paperless Office Sports Disaster Social Engineering End of Support Hosted Solution Scam Robot Securty Meetings User Fax Server Private Cloud Cooperation Net Neutrality Virtual Desktop Wi-Fi Business Intelligence Telephony Digital Social Microchip Taxes Documents Processor Distributed Denial of Service Start Menu Tech Terms Entertainment Teamwork Heating/Cooling Google Docs Computer Accessories Mobile Technology Memory Solutions Public Cloud Licensing Multi-factor Authentication Experience Telephone Professional Services Uninterrupted Power Supply Monitors Trending Cleaning Smart Devices Vulnerability Office Tips Gaming Console Mouse Identity Theft Bitcoin Integration eWaste Webcam Programming Data Protection YouTube Text Messaging Statistics Network Congestion Politics Unified Communications Settings Virtual Reality Managed Services Provider Emails User Error Downloads Automobile Co-managed IT Chromebook Processors Distribution Streaming Media How To USB Computing Infrastructure Hack Managed Services Redundancy Presentation Employee/Employer Relationship IT service Inbound Marketing How To Download Lifestyle Managed IT Service Cost Specifications Safety Evernote Virtual Assistant Pain Points Chrome Bluetooth Digital Signature Content Management Microsoft 365 Managing IT Services Audit Worker UTM Content Business Managemenet Managing Costs Fake News Legislation Error Medical IT Surveillance Microserver Trend Micro Deep Learning Reading Samsung IT Plan Enterprise Resource Planning Browsers Telework Data Warehousing Work/Life Balance Accountants A.I. Security Cameras IT Threats Emergency Hard Drive Disposal Upselling Employer Employee Relationship email scam Addiction online Currency User Tip Proactive Maintenance Remote Workers Access Visible Light Communication G Suite Microsoft Excel Hacks Physical Security Get More Done Virtual Private Network IT consulting Computer Care PDF Video Surveillance Navigation Virtual Machine Best Available Keyboard Banking Saving ZTime Botnet Wireless Headphones Development Turn Key eCommerce Relocation Tablets Migration Connected Devices LinkedIn Data Analysis Printer Server Employees FinTech Google Drive Windows Server 2008 Equifax Fleet Tracking GDPR Managing Risk CIO Domains Network Management Trojan SQL Server Data Storage Spyware Advertising Mobile Payment Flash Sync Staffing Google Wallet Harddrive Public Speaking Notifications CCTV Archive Procurement Electricity Windows XP Printing Debate Device security MSP Skype Tech Organize Hypervisor Shortcut Business Metrics Computer Malfunction Nanotechnology Social Network Video Conferencing Holidays Displays GPS Reliable Computing Desktop Finance Fileless Malware Hybrid Cloud Society Startup Asset Tracking Point of Contact Modem Communitications Strategy Micrsooft Troubleshooting Business Cards Service Level Agreement Proxy Server Azure PCI DSS cache Television External Harddrive Entrepreneur In Internet of Things Drones HIPAA Unified Threat Management Backup and Disaster Recovery Electronic Medical Records Transportation Supply Chain Management WannaCry Environment Username Term Competition Thin CLient Motion Sickness Screen Reader Customer Resource management Recording Internet Service Provider Corporate Profile Optimization Electronic Payment 3D Scalability Ebay Gamification Directions Webinar Display Time Management Freedom of Information Smart Tech Analytic SSID IT Assessment Business Owner Messenger Tracking Piracy Upload Recycling Dark Web Free Resource Regulations Compliance Assessment Permissions SharePoint Language Smart Phones Processing Tip of the week IP Address Rental Service Fiber-Optic Database Health IT Remote Working Google Calendar HTML Product Reviews Application Leadership Web Server Telephone System Read Logistics VoIP Virtual Machines switches Writing Adminstration Human Resources Pirating Information Cabling Mobile Security Wasting Time Touchscreen Music News Multi-Factor Security Electronic Health Records Cyber security Knowledge Upgrades Books Workers Software License Trends Bookmark Financial Data Consultation Administrator Google Play Memes Telephone Service Supercomputer Fraud Tactics Device Management Best Practives Employer/Employee Relationships LiFi Technology Tips Devices Capital Financial Productuvuty 3D Printing Printers CrashOverride Managing Stress Personal Information Regulation