Punishing Employees For Cybersecurity Mistakes? You Might Want to Think Twice.

A team of UK researchers recently conducted a survey on how organizations handle when employees fall prey to phishing scams. Phishing scams are usually those pesky emails that end up in your inbox...you know: 

“Your long lost cousin is a Nigerian prince and wants to send you money. Simply email back your SSN and bank account information, and overnight you will become wealthy beyond your wildest dreams!”

You know the types. But unfortunately, not all phishing scams are as obvious, and not all employees know how to tell good emails from the bad. So what do businesses do when an employee falls prey? The survey mentioned above found that many companies (42%, to be specific) will actually punish employees for falling for phishing scams.

Of the companies surveyed:

Concerns About Punishing Employees

Cybersecurity incidents certainly need to be handled swiftly — but is penalizing employees the best method? There is some concern that punishment might actually cause more harm than good.

1. Employees that are publicly shamed or have privileges revoked might become resentful and angry. This can decrease productivity (a lot) and lead to higher turnover, costing businesses lots of money.
2. Preventing employees from accessing their computers, or different tools and applications they need to do their jobs, means that work isn’t getting done — and the company is paying someone just to warm a seat.
3. In many cases, knowing they will be punished means employees will not notify IT when something goes wrong. This means that not only is the organization potentially vulnerable to attack, but that nobody is aware or able to rectify the issue.

Alternatives To Penalties 

One alternative to penalizing employees is to simply provide relevant training to prevent them from falling prey in the first place. There are five types of training that employees should receive:

1. Email Security Training
2. Internet Security Training
3. Information Sharing Procedures
4. Remote Work Best Practices
5. Password Security

To learn more about these types of training, and get some helpful tips and handouts for your teams, check out our resource: Cybersecurity Awareness Training for Employees.

Another alternative is to provide training regularly, and often. While employees should definitely get training after an incident, cybersecurity training should primarily be proactive, not reactive. It’s not wise to wait until after an employee has fallen prey to a scam before providing the relevant training. Training should occur during onboarding, and then regularly for all employees. Many organizations provide mandatory training on an annual basis, but depending on the nature of the business increasing that two twice a year or quarterly (or more) might be beneficial. 

Last, but certainly not least, make sure employees are encouraged to come forward with any suspected vulnerabilities. Instead of punishing employees when things go wrong, perhaps try establishing an incentive program where employees are rewarded for reporting possible scams and breaches. This will encourage employees to be on the lookout for any suspicious activity, and quick to bring anything questionable to light.