Preventing Phishing Attacks: Why Training Is Better Than Punishing

Picture this… an email comes into Mark’s inbox and looks like any other of the dozens he receives each day from customers, partners, suppliers, and company headquarters. Dealing with a hundred things at the same time, Mark clicks on a link inside an email he assumes comes from a trusted source, inadvertently launching a phishing attack on your company designed to obtain sensitive information such as usernames, passwords or credit card details.

Sounds like a nightmare? The truth is that this type of situation happens every day in businesses around the world. In fact, according to the Anti-Phishing Working Group, in the first half of 2013, there were at least 72,758 unique phishing attacks worldwide. Just consider the recent breach at retail giant Target, in which more than 70 million customers may have had credit card or personal information stolen. Industry pundits have determined that it all started with a phishing attack on one of the company's contractors.

Phishing attacks are no laughing matter; not only can they impact your own business, but also your customers and partners who rely on your company to keep their data secure. They cost firms millions of dollars each year; EMC reports global losses from phishing attacks at over $5.9 billion in 2013 alone. They necessitate the hire of additional IT personnel and security officers. They cut down on employee productivity by tying up computers and servers for cleanup, and often necessitate intervention from human resources personnel in dealing with the employee who enabled the phishing attack.

So who at an organization is most at risk to be a victim of a phishing attack? A study from Proofpoint Inc. found that although almost anyone with an email account can be targeted, non-management -level employees are much more likely to be targeted for phishing attacks, and are targeted at almost twice the rate as middle management. In fact, even executives are targeted 1.5 times more than middle management. When Proofpoint looked at the click rate for employees targeted during these attacks, however, it was clear that employees in non-management roles were almost twice as likely to click on a phishing email than middle management and executives.

One reason non-management-level employees are being targeted is due to their lack of knowledge about what phishing is and the damage that it can do to companies. Another reason is volume; these employees deal with copious amounts of emails on behalf of their companies and rely on this form of communication between the company and its customers and partners. This group is also targeted because of the ratio of non-management-type employees compared with those in executive and middle management positions. The sheer volume of employees at companies who are considered "non-management" means they are indeed the most at-risk group.

Is Punishment the Right Recourse?

When a phishing attack is successfully executed against a company, the initial instinct from upper management may be to punish the employee who clicked the link. This punishment might come in the form of a verbal or written warning, a poor review or a diminished raise. Some companies may even consider termination an acceptable recourse, especially if the employee has had more than one incident that impacts the company.

But it's unlikely the employee's intentions were malicious. So is punishment the proper course of action or is there a better response? If non-management employees are truly a company's weakest links, it should be a strong impetus to add training for all employees, especially those deemed most vulnerable to use improper behavior when dealing with phishing emails.

Educating employees about the dangers of phishing attacks is one of the best defenses companies have against them. Active training (as opposed to passive training, such as video training), in individual settings so employees can learn at their own pace, reinforces good behavior and discourages behavior that puts the company at risk. Taking an active approach to training employees is far more beneficial that punishing them, for many reasons:

• It allows employees to move from being part of the problem to part of the solution. By giving employees the tools to better understand their role in identifying potential phishing threats they may receive, they can help prevent them from impacting the company.
• It limits creating undue fear employees have of clicking on links. Most employees need to open links every day as part of their job, whether it's accessing cloud-based services like salesforce.com, updating the company's YouTube channel or responding to a customer's order. Making them fearful of clicking on any links will impede their ability to successfully do their job.
• It creates an atmosphere of success for the employees. Employees want to do well at their jobs and be recognized for good behavior. Punishment creates a culture of defeat and failure, making it more difficult to motivate employees overall, and especially when it comes to training. Effective training programs create a culture of success, not defeat.
• Punishment is a ”stick” behavior. If training is not available to help employees understand the impact phishing attacks can have, and how to avoid them, how can employees be blamed for taking inappropriate actions?

Train First, Punish Last

So what should businesses do to make sure their employees are trained to recognize potential phishing attacks and avoid them? A complete training cycle should encompass the following elements:

• Assessment: How well versed are your employees in knowing what a phishing attack is, or other social engineering exploits? Can they identify potential hazards before making a mistake, and report potential threats to their manager or IT department? Initial assessments and ongoing training—since end user behavior changes—is critical to determining who might be at risk. From knowledge assessments to mock attacks, assessments help companies take preventative steps to halt undesirable behavior.
• Training: Once an assessment is made that identifies employees most at risk, interactive training might involve simulating different types of phishing emails to see if an employee bites, and then determining the factors that provoked the action. While all non-management employees should receive training—not just those deemed most at-risk—many companies may need to prioritize training based on assessment results. It may seem like overkill for some employees, but a mandatory company-wide training program is crucial for keeping the business safe. Training should also include a reporting procedure for employees who suspect an email might contain a phishing attack.
• Setting limits: If employees complete a training program and their dangerous behaviors do not improve after a period of time, say three or six months, a company might consider limiting access to critical data as a preventative measure. Unfortunately, this might also impede employees’ abilities to fully execute their jobs. If they are not trained over that period of time, there are likely other issues with employee behavior that might require a different kind of approach beyond training.
• Punishment: Punishment should be used as a last measure if the employee does not respond to training. Punishment can be financial or punitive, where the employee is demoted or even terminated after several documented attempts at training.

Even with the volume of phishing attacks impacting brands small and large around the world, there is still a significant percentage of companies that do not train their employees to identify, avoid and report potential phishing attacks. This is perhaps one of the biggest mistakes companies can make when it comes to securing their sensitive data. If one of the weakest links in your company is the "people factor," teaching employees to do the right thing and showing them why it's important to your company will generate the results you need to keep your company secure.

Joe Ferrara, is the President and CEO of Wombat Security Technologies, Wombat Security Technologies which provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS cyber security education solution includes a platform of integrated broad assessments, and a library of simulated attacks and brief interactive training modules, to reduce employee susceptibility to attack, even phishing attacks.