A vendor is advocating that supervisors and managers punish employees who fall for phishing attacks, rather than...
training or retraining them in security awareness. Is there any validity to this method? What should be done about employees who repeatedly fall victim to these attacks?
Perimeter security has improved dramatically over the years. The technology has evolved so that attacks against firewalls or hardened servers have become time consuming and expensive. There are obvious exceptions, but most serious breaches are the result of human error, rather than technology failings. Criminals will always search for the easiest targets and phishing continues to top their list of favorite attacks. Phishing attacks are as old as email itself, but users continue to fall for these cons. Information security departments have been sending out warnings and educating users with phishing awareness training about these types of attacks for several decades with limited success. Users are either not understanding the message or they have developed an apathetic attitude toward the training because there are no personal repercussions for not following through on it.
The focus on friendly reminders and snappy catch phrases like "think before you click" have failed completely. It is time for organizations to hold phishing victims accountable for repeatedly falling for these types of attacks. Repairing the damage done by malware through a phishing attack has a cost, even if there is no criminal loss to the company. There is the chance that data will be lost on the PC and on shared network resources, thanks to ransomware like CryptoWall and CryptoLocker. Employees would be held accountable if they let a criminal into the office and they caused physical damage. The damage to technology caused by phishing should not be treated any differently than physical damage, which is usually less costly to the organization.
Phishing is still successful because organizations do not hold employees accountable. Speed limits would not be followed either if there were no enforcement. It is time for a new approach to information security because we are not winning this war. Enterprises need every employee to be more diligent in protecting the organization's information assets and to understand the costs even unsuccessful attacks can cause. This will reduce the effectiveness of phishing attacks and force criminals to find a new type of attack.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
How how effective are gamified security awareness programs? Joe Granneman examines.
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Joseph Granneman
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading
Netflix released its own threat monitoring tools: Scumblr, Sketchy and Workflowable. Expert Joseph Granneman looks at these tools and their benefits ... Continue Reading