In case you discovered that business you fell victim hacking, because one of your employees was fooled by one phishing email, would you think of dismissing the employee? Or, if all this was part of a test you would run to test your employees, would you take such an action?
Let's start with the reasons why you would like to do such a test.
Of course you want your business to be safe by risks which are evolving more and more in our time. From 2005 to 2018, more than 8.854 attacks have been reported and there will surely be even more that have never been known.
In addition, Phishing has proven to be a very useful tool for them hackers and can have devastating effects for a business, while being a relatively easy method for a malicious agent.
So it's vital for an organization, people working for him to be able to recognize a phishing email. A test could potentially inform you about the skills of an employee in identifying and dealing with such an incident. However, you should keep in mind that this test does not assess the general capabilities of your employees.
Some companies show very low tolerance for the failures of a phishing test. This is particularly true in the financial industry, but also amongst other industries for reasons that are quite understandable. However, there are those companies that will lay off workers who fail in a large number of these ratings. Others again do these tests to keep their employees alert.
Unfortunately for these companies, what they fail to realize is that these behaviors will not improve security their. Sure, firing someone who finds it difficult to identify a phishing message means that this person will not compromise the company, but who says that whoever gets his position will be able to identify them better? Not to mention that firing a person won't help train your other employees in phishing attacks.
Finally, think about how the threat of consequences can affect an employee's decisions. Many solutions offer the ability to report suspicious emails and many employees (even if they have already clicked the link) will report them. But if there are consequences for their mistake, they lose the incentive to report it. In short, your employees will not trust you enough to tell you the truth.
Which is the right way?
An unscheduled phishing test is good, provided it is accompanied by a review of the results and followed by education which will help employees improve.
You can also, instead of focusing on the negative, use a positive reward. Rewarding the department with the most successful test, with a small bonus or gift cards, will motivate all employees to be more careful. You can still put a kind of penalty on the least successful team, for example buying a lunch for the rest, which is somewhat negative for the one who did not do well, but it certainly is not as exaggerated as the dismissal.