Thanks to KnowBe4 for this great policy tip!
Firing employees for failing phishing tests can be extremely counterproductive and can damage an organizationâs overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.
Companies sometimes think punitive policies will make employees take phishing more seriously, but these policies actually discourage cooperation and openness. It is much more productive to reward desired behavior.
John LaCour, founder and CTO of PhishLabs, told Krebs that punishment isnât an effective response to failed phishing tests because it makes employees feel theyâve been manipulated.
âIt really demotivates people, and it doesnât really teach them anything about how to be more diligent about phishing attacks,â LaCour said. âEach phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.â
Punishing Employees Has Negative Security Repercussions
In addition to creating an unhealthy work environment, punishing employees for failing phishing tests will have negative repercussions for your organizationâs security. When an employee does fall for a phishing email, whether real or simulated, the most important thing they can do is report the incident so that the attack can be mitigated. Rohyt Belani, CEO of Cofense, said that organizations should have training programs that encourage employees to report failed phishing tests.
âSo what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, âOops, I shouldnât have clicked, let me report it anywayâ,â Belani told Krebs. âBut if that person knew there was a punitive angle to doing so, theyâre more likely not to report it and to say, âYou know what, I didnât do it. Whereâs the proof I clicked on the link?’â
LaCour says that positive reinforcement and recognition is a key element in improving employeesâ phishing resistance. He said that posting the scores for each departmentâs phishing tests can make employees take the tests seriously and improve cooperation. He added that small rewards and lighthearted penalties, like having the lowest-scoring department buy lunch for everyone, can also help by making it feel like a good-natured competition.
An organizationâs employees are its most important assets, and they need to be treated fairly and with respect. However, employees that are chronically click- happy become an active liability for your network security. New-school security awareness training can build a culture of security within your organization by providing education programs that are effective and make your employees feel valued.
Part of that fair treatment is a published security policyâwhich hundreds of organizations use todayâto create a clean, clear, level playing field with known consequences for repeated click behavior. Here is a “find/replace” Policy Template Doc that you can use for your own organization:
https://blog.knowbe4.com/policy-template-should-failing-phishing-tests-be-a-fireable-offense