I don’t mean to sound paranoid, but people in your organization are lying to you about the way they use the company network and company technology. Or, at the very least, they aren’t telling you the whole story. And no amount of remote monitoring will give you the complete picture of how they are using your precious tech tools. If you have the resources to dive deep into the browser history of each and every employee, more power to you. If you don’t, you are going to have to figure out how to grapple with this fact.
The instinct to hide what we do wrong may be most damaging when it comes to phishing attacks. It’s bad when an employee clicks on an emailed link from nefarious actors when they shouldn’t; it’s even worse if they don’t tell anyone. As you likely know, the first successful phishing attack of an individual is the tip of the spear when it comes to a full-scale breach of an organization’s cybersecurity defenses. If an employee begins to panic and doesn’t tell anyone what has happened, you can miss the warning that the enemy is at the gate.
Continuing with the battle analogy, some organizations combat phishing with what might be called a heads-on-poles strategy. They conduct simulated phishing attacks, and then punish those who fall for the fake emails; they hope that everyone will be more vigilant afterwards. According to an infosecurity article, a Cybsafe study of UK businesses “found that mistakes such as falling for simulated phishing scams are regularly punished. This includes naming and shaming employees (15%), decreasing access privileges (33%) and locking computers until appropriate training has been completed (17%). Additionally, 63% of organizations will inform the employees’ line manager when cyber-mistakes are made.”
This approach is problematic in two fundamental ways.
First, as the article further discusses, this tactic is sure to demoralize your staff. Not only are they being targeted by bad actors around the world, but their own organization is trying to trip them up. Maybe they should have been more careful, the employees reason, but the organization also should have trained them better in the first place.
Second, and perhaps more importantly, this approach may make employees think twice about fessing up if and when they do fall for a real phishing attack. Think about it - if you are going to punish them for failing a test, then what will you do if the real thing happens? Hopefully, they may altruistically fess up. If not, they may think they’re going to be fired if they are outed as a phishing victim, so what motive would they have to volunteer the information?
There are no guarantees when it comes to cybersecurity policy, but your best bet may be to create a no-bad-mistakes, open-door policy with your employees. Some suggestions:
- Create an atmosphere in which you emphasize that each employee is a contributor and collaborator when it comes to cybersecurity.
- Give warning that phishing attack simulations are coming within a span of time, and provide tongue-in-cheek feedback should they fall for it, such as a silly clickthrough screen.
- If they fail a test, provide ample opportunity for training, and incentivize that training.
- If you’re worried about incentivizing “bad” behavior by providing incentives for remedial training, then make sure that everyone who succeeds at not falling for the phishing simulation can get a small prize, as well. Then, when those who failed complete the training, they get the same prize at the end.
- To reduce the shame factor, create ways to anonymously report or even automatically report a phishing attempt.
- If you have their permission, publicly praise those who step forward to report a phishing attempt. If you don’t, praise them anonymously.
- Provide regular communication about phishing techniques and cybersecurity risks that emphasize how crafty cybercriminals can be. In that communication, emphasize that no one is perfect when it comes to cybersecurity, and what is important is to tell someone if something goes wrong.
Look, phishing is an inherently dishonest action. You won’t be able to protect your organization against it by creating an atmosphere that may push those, in turn, to be dishonest. Make each and every member of your organization a partner in cybersecurity by creating a shameless atmosphere.
Craig Idlebrook is an editor with HDI and ICMI.