Let’s run through a quick scenario: your company’s computing infrastructure is infected with ransomware. Fortunately, you have an offsite backup, so you are able to restore your systems without too much trouble, other than the time you’ve lost. As you investigate the root cause, you discover that one of your employees allowed the ransomware in by falling for a phishing email. So, do you fire them?
Now, what if the whole situation was actually just a test, with you pulling the strings? Do you fire them then?
If the concept of terminating someone for falling for a simulated phishing attempt doesn’t sit with you quite right, you're not alone. Many cybersecurity and phishing experts feel the same way.
Let’s consider why you would want to run a phish test in the first place.
Naturally, you want your business to be as secure as possible -- that only makes sense, especially given how prevalent threats are nowadays. Between January 1, 2005 and April 18, 2018, there were 8,854 reported breaches. This averages out to almost two every day - and again, these are just the breaches that were reported. Who knows how many companies managed to sweep their security failings under the rug, or simply shut their doors without explanation?
Your security only becomes more crucial when you consider how effective a tool phishing has proven to be for cybercriminals, and how prevalent these attacks are. While only 1.2 percent of all global email is seen as suspicious, that’s still a worldwide total of at least 3.4 billion phishing messages sent every day.
Furthermore, except in the case of spear phishing, phishing attempts take relatively little effort for a cybercriminal to put together (part of the reason that they are so common). Spear phishing is arguably more dangerous, as these targeted attacks require the cybercriminal to do some research and customize their attack to their target, which makes their attempt much more convincing.
So, with phishing attacks becoming so common, it is extremely important that your staff is able to identify them. Hence phishing tests, which allow you to evaluate your staff’s present abilities in a simulated scenario. Take note: phishing tests are designed to evaluate abilities, not competencies, which is an important distinction to observe while examining the prospect of firing employees who fail phishing tests.
Some companies out there demonstrate a very low tolerance for failed phishing tests. This is especially true in the financial industry, but that is the outlier among all industries, and for reasons that are pretty understandable. However, there are those companies that will terminate employees who fail too many (however many that may be) of these evaluations. Others will launch these attacks for the sake of keeping their employees on their toes.
Unfortunately for these companies, what they fail to realize is that these kinds of behaviors will do nothing to improve their security. Sure, firing someone who has a hard time recognizing a phishing email means that individual won’t subject your company to that particular threat, but who’s to say that the next person hired will be able to recognize them any more consistently? Can the rest of your staff actually absorb that employee’s responsibilities? Not to mention, just firing someone will do nothing to actually educate them on phishing, which means that another business (that could very well have some of your information on file) might be the next to hire that employee, and could find themselves breached as a result.
You also need to consider the stress that this puts on your employees, demoralizing them and making them resentful toward you -- the employer who keeps trying to catch them in a mistake without any constructive follow-up provided.
Finally, think about how the threat of consequences might influence an employee’s decisions. Many solutions offer the option to report suspected phishing, and many employees (even if they’ve already clicked on the link) will still report them. At least, that’s what should happen… but if there are consequences that may come back to them for their mistake, they lose the motivation to report it. Why would they open themselves up to suspicion when their job could be on the line?
In short, your employees won’t trust you enough to tell you the truth.
Surprising your staff with an unannounced phishing test is an okay thing to do, as long as it is accompanied by a review of the results and follow-up training to help them improve, rather than a pink slip.
There’s also a lot to be said about leveraging positive reinforcement after a phishing test, rather than focusing on the negative. Rewarding the department that performs the best with a small bonus or gift cards will motivate everyone to be more vigilant, as there is a potential reward at stake for doing well. However, if you really want to hammer home the real-world consequences of phishing, gamification can be an effective way to do so while still motivating your employees. Rather than the carrot of a gift card, you could give the lowest-scoring team some kind of stick--like the responsibility of buying lunch for the rest of the team one day. While this will still sting, it is less extreme than termination and better communicates the actual consequences of phishing.
If you need help running a phishing test, reach out to KT Connections. We can help advise you and your team on how to avoid phishing scams and other security risks by identifying them before it is too late. Give us a call at 605-341-3873 to learn more.