Should Failing Phish Tests Be a Fireable Offense?

Should Failing Phish Tests Be a Fireable Offense?

Krebs on Security raised this issue in a recent blog.
https://krebsonsecurity.com/2019/05/should-failing-phish-tests-be-a-fireable-offense/

Every company has to evaluate its risk tolerance, but embracing a good security posture by educating, training, and testing employees so they don’t fail, helps create a healthy culture of cybersecurity awareness and decrease in phish prone behavior.

But what happens if a user continues to fail or ignores your training and the company policy in spite of your best efforts to train them. How should you intervene and when? Knowbe4 has a document template that each company can use to evaluate these scenarios and develop its own corrective interventions based on possible escalation scenarios for these repeat offenders.

Here’s our blog story and the template!

This topic makes me uneasy as I can see why despite an organisations best efforts to train someone, if they fail to grasp the concept being taught and continue to put the organisation at risk then is this a fireable offense, can you prove gross misconduct due to incompetence, can you prove your training is adequate and appropriate for the individual?

Line this up against other fireable offences such as insider trading or fraud or sexual harassment or other forms of gross misconduct and failing a phishing test suddenly seems like gross overkill

1 Like

Hi Matt, The KnowBe4 suggested template is very employee focused. The schedule goes up to 9+ subsequent failures and employee manager/management remedial processes. If you have the opportunity please do download the KnowBe4 template from the blog. It’s freely downloadable.https://www.knowbe4.com/hubfs/SecurityAwarenessTrainingandTestingModelPolicyTemplate.docx

My own opinions. Some industries may have the need to be more stringent than others. A government military defense contractor or critical infrastructure provider may have much lower risk tolerance. These employee policies have to be tailored to the specific industry and company need. Many cyber insurance policies are now calling for employee awareness training as part of compliance. We’re still in the infant stages of these cyber policies. But these policies may have an influence on employer practices and tolerances. Cybersecurity culture is now starting to become more pervasive and moving up to C-Suites and Boards.

Employees - humans --are their most important company assets. So helping them grow and succeed is just good business and generally speaking, taking a positive approach with employees who fail and working to help them succeed is certainly the desirable route.

But there are certain situations on a case by case basis where an employee may-- for whatever reason intentionally disregard the policy putting the company at risk. But repeated intentional disregard of company policy would usually trigger an HR warning anyway. An employee who repeatedly fails training or is finally deemed “untrainable” is a security problem waiting to happen. So in some cases it may rise to a level of termination. Perhaps a company might have the option of removing that person from doing computer work to take that risk out of the equation. Each company will have to set its own policy according to their situation. That’s why a template can only suggest a roadmap. This is a great discussion and love to hear what others think and how they might handle this problem.

1 Like

Of course, I am applying only the logic within the sector that I work (ecommerce) where the tolerance levels compared to the military will be totally different, this is a good point. Having thought about it overnight a good solution, in my sector at least, would be the blanket use of 2FA/MFA or U2F for all accounts where you log in, at least this way even if you get phished, no fraudster can access those accounts without your physical key or device. Obviously SMS methods should be excluded due to the risk of SIM swapping and i suppose you have to weigh up risks of a fraudster targeting you and making the considerable effort to gain control of your second factor device.

2FA can be hacked but it depends how large the target is on your back and also if someone is going to go full on social engineering on ya. Everything is hackable. Depends on how badly someone wants to get in. One way is to get a hold of the session token (or cookie token) through a man in the middle attack once an authentication is made. Here’s an interesting video by Kevin Mitnick, world renowned pen tester and Knowbe4’s Chief Hacking Officer demonstrating this.

1 Like

We’re polling other industries on this very topic. I’d love to hear how your companies handle phishing simulations.

How often do you phish?
What happens to a user when they fail?
Do you notify managers?
Do you reward positive behavior (reporting the behavior?
If so, how?

2FA or Multi factor is better than no factor:) Can you lock everything down with 2FA because users will be phished and if credentials are compromised what other damage can a hacker do? This is why training your users about the methods of social engineering, phishing them regularly and having repeat training and remediation for those that fail is best practices.

And we do test them… If I then pressume that 2FA/MFA is also going to fail due to scenarios as in the video then as most security experts say, security is not 100%. I would think in the environment I work in I would be hard pressed to convince a member of senior management that an employee would have such a large target on their backs, any more resource other than training, access controls and activity monitoring is necessary, if they thought it did then I think yes failing phishing tests would be a fireable offence and so the circle starts again :slight_smile:

Your company may not have that large a bulls eye target that someone would expend the resources on a sophisticated MFA attack but so many other industries are very attractive. Nation state and organized crime groups are going after networks and users where intellectual property can be pilfered ie: Legal, accounting, military, aerospace, engineering, university, diplomatic and others, Municipalities and Healthcare for ransomwsre China is the front runner for IP theft… Just the other day it was reported that a hacker thought to be Iranian was selling UNICEFS records on the dark web. And yesterday it was reported the EU embassy in Russia was thoroughly compromised. Things will likely only get worse and social engineering attempts more sophisticated… The real hurdle is convincing management to be proactive rather than reactive. The figures I’ve read are pretty astounding concerning the % of SMBs breached. Of course healthcare is a huge target as are municipalities. no doubt we probably will see repeated clicker failures and companies having to up their training game.The frequency and quality of training AND the cyberculture within the company are all factors that can reduce risk. According to Beazley in May.
“About 70 percent of ransomware attacks in 2018 targeted small businesses, with an average ransom demand of $116,000, according to a recent report from Beazley Breach Response Services.” — Healthcare IT News