Many organizations punish employees who make cybersecurity mistakes and fail phishing simulations but punishing employees for failing phishing simulations is often not effective and can have unintended negative consequences.
Actions taken by companies when employees fail phishing simulations
Studies suggest that around 40% of companies punish employees for failing phishing simulations and for making other security mistakes. The actions taken can range in severity from naming and shaming employees, removing access privileges, losing other privileges and benefits, locking computers or blocking email until training has been completed, and disciplinary action, such as verbal and written warnings, and termination.
There naturally needs to be consequences if employees fail phishing simulations or make security mistakes, as if there are none, there will be no incentive for change. However, there are risks with using the stick rather than the carrot. Punishing employees for non-malicious security failures and failed phishing simulations often does not work.
Do you really want to create a culture of fear?
If you want to create a security culture in your organization you need to motivate your employees to become security titans, and that is unlikely to happen if the motivation comes from the threat of being fired if a mistake is made. Employees can become stressed and anxious if they are scared of severe punishments for security failures, especially if they have already failed a phishing simulation. That is unlikely to be beneficial for the company and could lead to the creation of a hostile work environment and loss of productivity. It could also serve to demonize the security team which is never a good thing.
If employees are scared about making mistakes, they may not report them when they happen
When employees make a mistake, such as clicking a link in a real phishing email or installing malware, and recognize the mistake, it is essential that they report it. Prompt action by the security team can be the difference between neutralizing the threat before any harm is caused and suffering an incredibly costly ransomware attack or data breach. If employees are worried about losing their jobs for making a mistake or suffering other serious consequences, they may avoid reporting the error.
Businesses need to be careful with punishing employees for non-malicious actions or security failures and should ensure that they make it clear to employees that the failure to report a known security mistake is a serious issue that could result in termination and will have far more serious consequences than the actual error.
Security awareness training should not be viewed as a punishment
If employees make security mistakes or fail phishing simulations it can be due to many reasons. The training provided has clearly not been effective has not been effective with certain employees and this could be due to the training material or the different needs of employees – It may not be a case of employees not paying attention or sloppy working practices.
When security mistakes are made or phishing simulations are failed, there is clearly a need for further training, but it is important that security awareness training is not seen as a punishment. It should be a positive experience and be explained that it is part of an ongoing educational process.
Consider real-time security awareness training
You should be providing security awareness training during the onboarding process, and annual training sessions are important, but if you want to create a security culture you need to go further. Cybersecurity newsletters, reminders, and additional training can be useful if they are not provided too regularly. Daily emails will be ignored, whereas monthly, bimonthly, or quarterly updates are more likely to be read and assimilated.
One of the best approaches to training is to provide basic training to everyone and then to provide behavior-driven, real-time security awareness training. When an employee makes a mistake, falls for a phishing simulation, or is discovered to have engaged in a risky behavior, an alert can be triggered and immediate training can be provided. This is bite-sized training that is relevant and specific to an action that was taken, that explains how the mistake was made, why it is a problem, and how it could have been avoided. Mistakes serve as educational triggers and can be turned into teachable moments and training provided in this way is likely to be much more effective than making an employee go through the same standard training program again.
The SafeTitan security awareness and phishing simulation platform
SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time, allowing businesses to mitigate the growing problem of social engineering and advanced phishing attacks. The platform includes an extensive library of training courses, videos, and quizzes that businesses can use for greater general and custom training campaigns, and provides gamified, interactive, and enjoyable security awareness training sessions with short and efficient testing.
Training can be automatically generated in response to specific employee behaviors to ensure errors and risky behaviors are immediately tackled. The platform also includes fully automated simulated phishing attacks, using regularly updated phishing templates to match current attack trends. The training and simulations have been shown to reduce susceptibility to phishing by up to 92%. Users also benefit from enterprise-level reporting in an easily digestible format that demonstrates the ROI.
Contact TitanHQ today for more information and to sign up for a free trial of SafeTitan.