If an employee is susceptible to clicking on a phishing email, what’s the right way to handle the problem? While some companies have taken to firing workers, the morale cost might just be too high for that.
When someone falls for a phishing email, whose fault is it—and should someone take the fall?
It turns out that, at least at a handful of companies, there’s an answer to that question: the person responsible for the errant click.
In fact, some have apparently gone to the surprising step of firing employees who have repeatedly failed phishing tests—not even actual attacks, just tests!
Recently, security blogger Brian Krebs, who has probably seen a lot more than most on the cybersecurity front, discussed how even he was surprised that this was a real thing, that people were being fired in some cases for failing to detect a phishing scheme.
He interviewed a number of experts about this, who all said the same thing: It’s bad form to fire someone for what, effectively, is an institutional challenge.
John LaCour, the founder and CTO of PhishLabs, told Krebs that the approach was demoralizing, rather than teaching people new things.
“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour stated. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”
Nonetheless, there is a desire to punish someone—anyone—for the attack taking place at all. A ProofPoint email fraud survey [PDF] from last year found that 1 in 4 phishing attacks worldwide led to someone getting fired. In the United States, the number was up to 40 percent.
One reason for the stringent approach? It can cause significant damage to the business. The report noted that 55.7 percent of survey participants said that they saw business disruptions from phishing attacks, with that number jumping to 61 percent in the U.S. The most common issue was downtime; other challenges included a loss of sensitive or confidential data, the cost of recovery, and the loss of funds to cybercriminals.
The report adds that, most commonly, teams that deal with money—think the finance team and accounts payable—receive phishing emails, at levels generally high above the C-suite or general workforce in most of the countries surveyed. (France is the outlier; in that country, the C-suite is most likely to get such messages.)
This conversation is important for associations because not only are they just as susceptible to such attacks but also because they have to walk a careful line in terms of their response, considering their front-facing status to members.
Part of the problem with punishing an individual is that the situation is often the result of something more systemic. In the latest issue of Associations Now, Senior Editor Tim Ebner noted that member directories have become a common attack vector for phishing schemes (as have staff directories), and that there are ways to safeguard this information.
These are obviously big problems, and employees should have awareness of what makes a phishing email and what doesn’t. As I’ve written in the past, many folks struggle with correctly identifying out phishing messages in a quiz—even those who are computer-savvy.
At some point, though, the employee has to become aware of the role they can play in avoiding such attacks. They should have a degree of distrust baked in—and if they don’t, they should gain one, fast.
In a blog post last year, DelCor’s Dan Lautman noted that taking steps to avoid phishing attacks was beginning to become important enough that general cybersecurity literacy must be an important part of employee training—and something everyone is responsible for.
“Everyone must have sufficient skills to use the Internet and email safely—that means having cybersecurity awareness skills,” he wrote. “Leadership and HR must ensure there are consequences for being careless with cybersecurity—no matter who the person is.”
But Lautman was quick to add that the employer should be focused on the issue—bringing it up at every all-staff meeting, and by highlighting those who do the right thing.
“Acknowledge and thank those who spot real phishing emails or consistently detect the fake ones,” he writes. “Positive and public acknowledgement will help spread good behavior.”
The internal blame game around phishing attacks ultimately sidesteps the fact that it’s someone else’s fault, and that person is unlikely to get punished for it, especially if it’s an attacker from another part of the world. While there may be room for consequences for someone who does click an errant link—say, additional training requirements—straight-out firing should be off the table.
Instead, focus on prevention and response. The fact is, the phishing email didn’t just show up in the user’s inbox at random—in many cases, a broader systemic oversight put it there.