Manage Learn to apply best practices and optimize your operations.

Should enterprises enforce harsher penalties for phishing victims?

The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph Granneman discusses why this approach may have merit.

A vendor is advocating that supervisors and managers punish employees who fall for phishing attacks, rather than...

training or retraining them in security awareness. Is there any validity to this method? What should be done about employees who repeatedly fall victim to these attacks?

Perimeter security has improved dramatically over the years. The technology has evolved so that attacks against firewalls or hardened servers have become time consuming and expensive. There are obvious exceptions, but most serious breaches are the result of human error, rather than technology failings. Criminals will always search for the easiest targets and phishing continues to top their list of favorite attacks. Phishing attacks are as old as email itself, but users continue to fall for these cons. Information security departments have been sending out warnings and educating users with phishing awareness training about these types of attacks for several decades with limited success. Users are either not understanding the message or they have developed an apathetic attitude toward the training because there are no personal repercussions for not following through on it.

The focus on friendly reminders and snappy catch phrases like "think before you click" have failed completely. It is time for organizations to hold phishing victims accountable for repeatedly falling for these types of attacks. Repairing the damage done by malware through a phishing attack has a cost, even if there is no criminal loss to the company. There is the chance that data will be lost on the PC and on shared network resources, thanks to ransomware like CryptoWall and CryptoLocker. Employees would be held accountable if they let a criminal into the office and they caused physical damage. The damage to technology caused by phishing should not be treated any differently than physical damage, which is usually less costly to the organization.

Phishing is still successful because organizations do not hold employees accountable. Speed limits would not be followed either if there were no enforcement. It is time for a new approach to information security because we are not winning this war. Enterprises need every employee to be more diligent in protecting the organization's information assets and to understand the costs even unsuccessful attacks can cause. This will reduce the effectiveness of phishing attacks and force criminals to find a new type of attack.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

How how effective are gamified security awareness programs? Joe Granneman examines.

This was last published in March 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is it unfair for enterprises to punish phishing victims?
I believe that it is unfair, as well as legally questionable. I would definitely be opposed to punishing an employee who is a victim of a phishing attack, unless there is some way that the employee was obviously negligent in performing their job.
Some phishing scams are blatant. If an employee is gullible enough to open one and causes issues for the company, in time lost, then yes there might be a case for disciplinary action.  The hard thing might be in a case where a e-mail comes in with a subject that may sound legitimate. Something like "Package undeliverable" by a carrier you do business with or from a bank you do business with. You may not have time to research it and feel it would be quicker to open the e-mail. I run into this all the time with people outside of the work environment. They get e-mails about things like court dates, checks bounced, free gift card, your account has been hacked... I try to show people how to view the full header for more info to validate the sender . If it doubt just delete it. Then contact the sender yourself.  
Since employees have failed to adhere to awareness messages about phishing attacks, I think enforcing some kind of penalty will result in increased employee vigilance.
I think it all depends on the level of education that has been provided to the employee. If the education covers anti-phishing on a regular basis then MAYBE a penalty should be issued. But what should that penalty be? Firing? Other forms of disciplinary action? Who makes the call on whether the employee gets penalized or not?

These questions need to be resolved and checked through the legal department as well.
I would strongly disagree with this approach if it were up to me. Many phishing scams are sophisticated and many email users are not. In fact, I believe that going so far as to fire someone for this kind of mistake could be legally disputable in the U.S. under agency law.