PiChris - Fotolia

Manage Learn to apply best practices and optimize your operations.

Should enterprises enforce harsher penalties for phishing victims?

The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph Granneman discusses why this approach may have merit.

A vendor is advocating that supervisors and managers punish employees who fall for phishing attacks, rather than...

training or retraining them in security awareness. Is there any validity to this method? What should be done about employees who repeatedly fall victim to these attacks?

Perimeter security has improved dramatically over the years. The technology has evolved so that attacks against firewalls or hardened servers have become time consuming and expensive. There are obvious exceptions, but most serious breaches are the result of human error, rather than technology failings. Criminals will always search for the easiest targets and phishing continues to top their list of favorite attacks. Phishing attacks are as old as email itself, but users continue to fall for these cons. Information security departments have been sending out warnings and educating users with phishing awareness training about these types of attacks for several decades with limited success. Users are either not understanding the message or they have developed an apathetic attitude toward the training because there are no personal repercussions for not following through on it.

The focus on friendly reminders and snappy catch phrases like "think before you click" have failed completely. It is time for organizations to hold phishing victims accountable for repeatedly falling for these types of attacks. Repairing the damage done by malware through a phishing attack has a cost, even if there is no criminal loss to the company. There is the chance that data will be lost on the PC and on shared network resources, thanks to ransomware like CryptoWall and CryptoLocker. Employees would be held accountable if they let a criminal into the office and they caused physical damage. The damage to technology caused by phishing should not be treated any differently than physical damage, which is usually less costly to the organization.

Phishing is still successful because organizations do not hold employees accountable. Speed limits would not be followed either if there were no enforcement. It is time for a new approach to information security because we are not winning this war. Enterprises need every employee to be more diligent in protecting the organization's information assets and to understand the costs even unsuccessful attacks can cause. This will reduce the effectiveness of phishing attacks and force criminals to find a new type of attack.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

How how effective are gamified security awareness programs? Joe Granneman examines.

This was last published in March 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats