KrebsOnSecurity published an interesting article this week.
It’s a question we come across an awful lot.
“What should I do if my staff don’t comply with our policies?” Some of our clients take advantage of our advanced Security Awareness Training offerings, which offer optional ongoing tailored “phishing” attempts to various staff members.
There’s a lot of debate and discussion around this, from a few angles. The most common I’ve summarised below;
“But that’s entrapment!”
We’re not the police, and we’re doing this to better security for an organisation. It stands to reason if one of our phishing training emails is followed, then an illigitimate phishing email may have had the same response.
“But it’s unfair, the email looked vey good!”
Looking at this objectively, if a convincing person walked into your business and demanded $20,000 in cash, would you hand it over to them? You need to think the same way in a digital world.
“I thought the firewall/filter would catch that”
Filtering is a moving target on a daily basis, in the cybersecurity world, the mantra “build a bigger wall, they’ll build a bigger ladder” is repeated often. There needs to be vigilance from both a system and user perspective to be properly protected.
“I can’t believe I’m losing my job over an email”
This is the awkward side of conversations we sometimes have to be involved in post-breach, depending on the severity of the breach and the level of the staff member. It’s important to remember that online security is as important, if not more important than physical security.
We lock the office at the end of every day, and set alarms so that we’re protected from any physical intrusion. It’s important that staff are trained to undertake the necessary precautions in a digital world to ensure security.
All in all, we don’t want anyone to lose their jobs without a very good cause. We’ve been involved in this industry for a while and have seen breaches ranging from some personal photos being leaked, all the way through to multi-million dollar breaches that have resulted in significant and often unrecoverable financial loss.
There is a line to be balanced between security and a fantastic working environment, the two aren’t mutally exclusive.
Through implementing solid policies, procedures and training plans, you can ensure your organisation is as safe as can be.