Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
For some employees, failing a phishing test can feel like being on an episode of Punk’d. For others, the mistake can lead to not-so-staged consequences.
According to a recent Arctic Wolf report, more than one-third (34%) of IT and security decision-makers send phishing simulation tests at least every two weeks.
Repercussions for those who repeatedly fail these simulations vary. Some employees who miss the mark on these tests, which have garnered backlash in recent years, are offered short training sessions following their oversight. However, Joshua Crumbaugh, CEO of PhishFirewall, an AI-powered anti-phishing solution company that focuses on non-punitive phishing campaigns, told IT Brew that others face more serious penalties.
“I know of a number of our Fortune 50s that still implement what they call a three-strikes-and-you’re-out policy,” Crumbaugh said. “All that means is you fail three phishing tests and you get fired.”
Silverfort CISO John Paul Cunningham told us that he has seen other extreme examples of corrective action, such as requiring an entire department to take remedial training if a repeat offender fails or that the consistent failure has a one-on-one conversation with their company’s CISO or CEO.
However, several security experts told IT Brew that harsh disciplinary actions may not be the most effective approach to get naive employees into better shape. Crumbaugh told IT Brew that a punitive response can often have inadvertent effects.
“People are going to report less. They’re going to be less engaged, less involved,” Crumbaugh said. “And then because they’re fearful, they’re not going to come to you when they are concerned about something.”
Gentle parenting. Ambuj Kumar, co-founder and CEO of AI security company Simbian, told IT Brew that organizations should instead strive to create guardrails around employees who demonstrate that they may be vulnerable to real phishing attacks instead of punishing them.
“Either block external emails coming to that person or put them in the position where even if they click the link, it does not harm them,” Kumar said. “For example, you can take away their admin rights from their machine and so that way, even if they are clicking phishing emails, they cannot do much damage on their machine.”
Mike Britton, CIO of San Francisco-headquartered cybersecurity company Abnormal Security, told IT Brew that he will often make phishing campaigns feel like a “game” for employees by recognizing employees who are able to crack the test.
“I always focused on the carrot, making sure that the first 10 people that reported the phishing simulation got some sort of prize versus the stick of, ‘Oh, you failed. Now I’m going to beat you,’” Britton said.
Crumbaugh told IT Brew that IT departments can alternatively handle repeat phishing simulation failures by sending more tests their way.
“That’s just a better approach because we’re conditioning them and we’re training them and we’re helping them get better, without just firing them right away,” he said.