Should the failure of phishing tests be a controllable offense? – Krebs on security



[ad_1]

Would your average Internet surfer be more vigilant against phishing scams if he really risked losing his job after failing in too many of these emails? Recently, at a conference, I met someone who said that his employer had actually fired employees for such repeated offenses. As it was the first time I heard about an organization that actually does it, I asked phishing experts what they thought about it (spoiler alert: they are not fans of this particular pedagogical approach ).

John LaCour is the founder and chief technology officer of PhishLabs, a company based in Charleston, South Carolina, that helps companies educate and test their employees on ways to not fall into the shadows of phishing scams. The company's training courses offer customers a way to track the number of employees who open phishing e-mail tests and the number of those who fall in love.

LaCour says that adopting punitive measures for employees who repeatedly fall for phishing tests is counter-productive.

"Some of our financial sector clients have implemented similar programs that have real consequences in the event of failed tests, but it is quite rare that all types of companies adopt such an extreme policy" said Mr. LaCour.

"Organizations can do many things as drastic as ever and always have the desired effect of enhancing security," he said. "We have already found that businesses need clbadroom training in the first failure. That's why a manager must consult with you the second time, or even revoke access to the network. "

LaCour said one of the most common mistakes it has seen is for companies buying a tool to launch simulated phishing campaigns just to play with employees.

"It really demotivates people, and it does not really teach them how to be more diligent in dealing with phishing attacks," he said. "Every phishing simulation program must be accompanied by a solid training program, in which you teach employees what to do when they see something phishing. Otherwise, it simply creates resentment among employees. "

Rohyt Belani, CEO of security firm Cofense (formerly based in Leesburg, Virginia) PhishMe), anti-phishing education campaigns that have very negative consequences for employees who repeatedly undergo phishing tests generally create tension and mistrust between employees and the company's security team.

"This can create an environment of animosity for the security team as it is suddenly perceived as working for human resources instead of trying to improve security," Belani said. "Threatening people turns against them, and they end up becoming more provocative and less cooperative."

Cofense provides a phishing reporting system and encourages customers to report suspected phishing attacks (and tests) to their employees. Belani adds that this information can often counter phishing attacks.

"What happens often is that a person can click on a link in a real phishing email and, three seconds later, realize:" Oops, I should not have clicked, let me know anyway, "Belani said," but if that person knew there was a punitive angle, he would be more likely not to report it and say, "You know what, I did not do it. is the proof that I clicked on the link? & # 39;

LaCour says PhishLabs encourages customers to use positive reinforcement in their employees' training campaigns.

"Recognition – where employees and departments that do particularly well is recognized – is very common," LaCour said. "We also see things like small gifts or other things that companies typically use to reward their employees, such as gift cards or small bonuses for specific departments or people."

LaCour has said that its offices make it a game.

"We make the competition competitive by posting scores for each department and the department with the lowest score must buy the meal for the rest of the department," he said. "It teaches people that the consequences are real and that we must all be diligent about phishing."

And you, dear readers? Does your employer organize phishing awareness and training tests? What incentives or disincentives are linked to these programs? Sound off in the comments below.



Keywords: Cofense, John LaCour, PhishLabs, Phishme, Rohyt Belani

This entry was posted on Wednesday, May 29th, 2019 at 1:39 pm and is filed under A Little Sunshine.
You can follow the comments of this entry via the RSS 2.0 feed.

You can go to the end and leave a comment. Ping is currently not allowed.

[ad_2]
Source link