Phishing defense is hard. We all know it. But it is easy to overreact as IT and InfoSec pros intent upon protecting our respective organizations.
Awareness training is necessary but is only effective to a point. You should plan on a certain failure rate and layer your technical defenses appropriately. A 20% failure rate on phish testing is typical, and if you come in below 20% you’re doing an exceptional job training them (or have exceptional users.)
Some negative side-effects of overly aggressive phishing awareness programs are:
- Users who delete any email with a link or attachment.
- Some users who are simply too afraid to use email at all.
- Users who won’t report clicked phishes to IT.
There are other examples. The three presented here represent lost productivity, and, in the case of number 3, a negative security impact.
I have clients who choose negative reinforcement as a response to user phishing failures. One, notably, tacked up a printout of a fish in the work space of any employee who failed the company’s periodic phishing tests.
Cute. But not productive.
From a security standpoint, it is most important that a user who clicks a phish reports that click to IT as soon as they realize what has happened. Attaching negative consequences to phish test failures or phish clicks in general reduces the report rate dramatically.
I have also seen organizations who try positive reinforcement, such as rewards for reporting phishing emails, clicks, and so on. These programs also tend to fail. Users will phish themselves or click intentionally and then report in order to get the rewards.
Layer your technical defenses. Do not expect your users to become InfoSec pros. Plan on failure.
And do not phish-shame your users.