Should You Be Holding Your Staff Accountable for Failed Phishing Tests?

by | Jul 25, 2019 | Cybersecurity

4 min read

What do you do when one of your well-performing employees routinely falls for phishing attacks? On the whole, the person is a great employee, but when it comes to acting with caution, they fail. If you’ve made a point to prioritize staff training regarding phishing attacks, and they aren’t following protocol, do you replace the employee?

You Need to Protect Your Business

If you have ten employees and two of them consistently underperform, you’d imagine that replacing them with two higher performers would benefit your business. The same goes for risk management. If you have a couple people who are continuously forgetting cybersecurity best practices, filling those spots with more cautious employees would likely reduce your organizational exposure to risk.

A small business owner has a difficult job. Not only do they need to try and fill their team with people who are skilled in their specific role, but part of every employee’s role is to protect the company against a potential data breach. If you have employees that don’t understand that this is part of their employment contract, and/or who don’t implement their training to spot and respond appropriately to risk, you’ll need to seriously consider replacing them. After all, for a small business, a data breach could be the end game.

What Is the Purpose of a Phishing Test?

Phishing is the act of sending a fake email, message, or text that entices the end user to take action. By the user clicking on the links and downloading attachments in these phishing messages, hackers gain access to a company’s network; and, from there, can wreak all types of havoc. As a result, businesses have started offering aggressive phishing training, and have seen proven results. With the thousands of data breaches that have happened over the past decade, and the dire consequences these breaches have exacted on many of them, you can understand why.

1.2 percent of all global email can be labeled suspicious, but worldwide, that adds up to about 3.4 million phishing emails sent every day. That doesn’t say anything of the massive amount of users who are exposed to phishing over social media, or through messaging programs. These attacks don’t take a lot of work to produce, so they are sent out en masse, and most are foiled, deleted, or ignored altogether. The problem is that it only takes one. One email can cripple a city’s municipal infrastructure, ground airplanes, and ruin your business.

Since phishing attacks are so common, it stands to reason that continuous training is a good idea; and, most people get it. Most people will go through their whole lives without clicking on hyperlinks they don’t know or downloading attachments from emails that are being sent from strangers. For some reason there are people that just don’t get it, however, and in their attempts to do their job well, they ignore the signs that they are being phished.  Since phishing tests are designed to evaluate abilities, not competencies, firing employees who fail phishing tests may not be the best idea for your business’ reputation as employers, but it has to remain an option.

What Companies Do

As you might expect, there are companies that demonstrate a very low tolerance for failed phishing tests. Most of the most stringent happen to work in financial services and healthcare, two of the most regulated industries. Any data breach in these industries come with a lot of additional hand wringing and very well could have lasting and unfortunate effects on their client’s (and therefore the company’s) wellbeing. Of course, initially falling for test phishing emails would (and should) result in reprimand, but if they continue, then isn’t much left to be done than to move on from that employee.

As stated above, most employees will not fall for phishing attacks. Most will excel at awareness training and will effectively protect your business. It is important that management takes the initiative to test employees. You will want to keep their staff well informed and trained on the latest cyberthreats, whether they be a form of phishing or not.

If you need help putting together a training platform that will empower your staff and keep intruders out of your network, call the experts at Machado Consulting today at (508) 453-4700.

Categories

Recent Posts

v
Let's Talk

You have questions.
We love to listen.

Customer Support

Need help?
Your help desk is ready.

Plan a Visit

32 Franklin Street, Suite 500
Worcester, MA 01608