More carrot, less stick suggested for repeat offenders in phishing tests
12:00 Friday, 05 February 2021
UK Cyber Security Council
Almost all businesses are addressing the threat of phishing, with 95% of organisations giving phishing awareness training to their staff, according to Proofpoint in its 2020 “State of the Phish” report*. In addition, 98% of companies provided more than half an hour’s security training, with 10% delivering more than three hours.
The frequency of training is also encouraging. Almost a quarter provided awareness training twice a month, with 38% giving monthly training and only six per cent working on an annual schedule. In-person and online training were both popular – 60% of organisations said they used each type – with over half using phishing attack simulations to test the success of the training and reinforce the message to their users.
Disturbingly, levels of punishment were significant for “repeat offenders” in phishing simulations. Over half provided in-person follow-up training and/or education from a member of the security team, but more than 20% used formal disciplinary action or removed access to systems. Such approaches risk negative consequences; as the report notes: “We would never argue against talking to or delivering follow-up training to end users who struggle to avoid phishing attacks. But labelling these additional learning opportunities as punishments – let alone imposing harsher penalties – could lead users to equate security awareness training initiatives with distrust, fear or even anger”.