Cyber security | 'Workers could be sacked for clicking scam emails' says boss who tests his own staff with fake phishing scams

'Workers could be sacked for clicking scam emails' says boss who tests his own staff with fake phishing scams

Phishing scams and bogus emails have been around for decades.

Not one of us hasn’t received a message from the prince of some far flung country who needs help transferring millions of dollars. And we’ve all likely been called or emailed by ‘HMRC’ about some taxes we owe, being threatened with arrest if we don’t comply.

And while these scams are easy to spot for the vast majority of us, con artists are becoming increasingly smart, and their methods are becoming incredibly deceptive.

Phishing scams now regularly carry all the hallmarks of a legitimate email - the name of a friend or colleague, perhaps, or genuine links and contact details to a business that, when Googled, add extra weight to the idea that the email is genuine. 

So it’s no surprise that some people who might consider themselves streetwise could fall for a scam email.

But the boss of a major finance firm says the issue is so serious that workers should face the risk of being sacked if they're caught clicking on spam emails.

Frank Lombardo, Chief Operating and Technology Officer at Insignia Financial, said companies are at increased risk of falling prey to a cyber attack if employees aren’t aware of the risks that bogus emails cause. 

And Lombardo said employees who repeatedly fail security tests, such as clicking on fraudulent emails, should potentially lose their jobs. 

He told the Australian Financial Review: “You need to recognise that if you've done everything that you can and if there's a weakness, and if it's at that human level and the human just isn't getting it, then you do need to take the appropriate action.”

He went on: “It may even lead to performance management and exiting individuals who are just not getting it.”

Lombardo also said he tests his staff almost every day by sending out emails similarly designed to those sent by cyber criminals and hackers. 

More than half of UK employees are worried about cyber security levels at work

With just under a third of UK businesses (32%) suffering from a cyber-attack in the last year, recent research from Aviva revealed more than half (55%) of UK employees were worried about the level of their employer’s cyber security. 

And just under half (48%) said they’d be able to identify and report phishing emails.

Looking for more

And it’s not without reason that many are concerned. The UK Government's 2023 Cyber Breaches Security Survey showed that 39% of UK businesses identified an attack in 2022, of which by far the most common was phishing, or attempting to access systems through fake emails.

And according to a research report by Stanford University and Tessian, 88% of all data breaches are caused by human error, including falling for phishing scams and sending emails to the wrong recipient which could contain confidential data.

Employees are the weak link when it comes to digital security, says tech exec

Martin Lauer, founder and chief executive of The One Point, a managed technology provider in Hessle, says employees are often the weak link in an organisation’s cyber security. 

He explained: “Someone hacking in through a firewall makes for great television but most of the time cyber security incidents start by an action by an unsuspecting employee allowing a risk into the network, this could be as simple as clicking on a link in an email or opening an attachment.”

With many cyber risks coming from human error, a key aspect of improving an organisations’ cybersecurity is prevention through training and awareness. Lauer adds: “Email is the biggest area that cyber criminals can exploit employees through phishing scams. There’s software that enables you to send a spoof but safe email, and it’ll alert IT or the MSP when someone clicks on it so that you can educate them about what they’ve done wrong.”

In a study of more than 9 million users across nearly 30,000 organisations over a 12-month period, security awareness company KnowBe4 found an initial baseline Phish-prone percentage of 27% across all industries. After only 90 days of training and simulated phishing, the Phish-prone percentage dropped over half to 13%, and after 12 months, it was minimised to only 2.17% – an astounding 94% improvement in one year.

Read more from us

Cyber criminals are now also using supply chains to gain easy access to valuable internal data and systems.

Lauer said: “It’s very easy for somebody to ring up a supplier posing as a customer and ask for a copy of an invoice. They then copy that invoice and send a legitimate one to the real company, saying they’ve changed their bank details. So, the company changes the bank details on the system and makes the payment.”

So what can companies do to protect themselves from online predators who appear to become more sophisticated with each passing day? 

Joshua Crumbaugh, CEO of PhishFirewall, has years of experience in phishing, ransomware, pen testing, and is a former ethical hacker (ethical hackers perform a vital service to companies by showing them where their cybersecurity weaknesses are).

Crumbaugh previously provided HR Grapevine with a list of the top 10 reasons phishing occurs, and how to prevent them:

10. Underqualified & overworked staff

Cybersecurity teams are typically some of the most overworked departments in any organisation and more importantly, are not typically educated in behavioral psychology and learning sciences. This combination leads to staff cybersecurity training that tends to have unnecessarily complex, dry, and cumbersome content. This can quite literally have adverse effects on employees and certainly doesn't achieve the desired goal of improving their security habits. Because most cybersecurity teams are overworked, do-it-yourself tools tend to be entirely unused.

9. Poor user engagement

Too many organisations are not pushing security awareness from the C-Suite. In fact, most are omitting the C-Suite from their education for fear that they will fall for a phishing emulation and shut down the programme. Most C-level leaders are probably more security-savvy than this, but the fact that their team believes they might act this way only goes to further demonstrate the need for top-down leadership and communications on the importance of any cybersecurity training initiatives. When employees know that the C-Suite cares, we tend to see a 15% bump in employee engagement.

Furthermore, we've found that you get the best possible engagement rates when the CEO sends a quarterly email reminding all staff of the importance of cybersecurity and pushing them to engage in all training initiatives. I'm a strong advocate for a 99 to one ratio on carrots to sticks, but both are needed to help drive engagement, and if you don't have both rewards and consequences defined in your security awareness programme, it's a safe bet that your programme has incredibly low engagement rates.

8. Incomplete datasets and poor risk insight

Typical security awareness programmes are looking at incomplete metrics, meaning they only see a fraction of the total picture – and we live in a big data world. So why wouldn't we track things like user relapse times [this refers to the time it takes for employees to fall back into bad security habits] and even plug them into a machine learning algorithm to proactively determine who is about to relapse and provide preemptive risk intervention training? Other metrics that get overlooked include which departments are the most engaged in education, as well as which departments click on the most phishing communications.

7. Low-frequency training

Typical training happens one to four times per year and tends to be extremely time consuming, with limited effectiveness. I once spoke with a CEO who said: "The maximum amount of time you're allowed to spend educating my team on cybersecurity is one hour per year!" At first, I was taken aback, but I soon realised that 60 minutes breaks down into 60 one-minute training sessions if you just simplify your content.

6. Boring content

This speaks for itself, but most cybersecurity training content is dry and not meant to entertain your staff. This is a critical mistake, because as we entertain people, it creates a chemical reaction in their brain that helps to increase retention. So, by entertaining employees during training, we increase the rate at which they will retain the content.

5. One-size-fits-all training

No two people or departments are the same and these differences impact what types of phishing attacks each person is most likely to fall for. The examples of disparate departments I like to use are sales and development; these two departments are known to be two of the most susceptible departments in most organisations, but they do not click on the same types of attacks. For developers, it's anything that will save them time or that appears to have come from HR/Management. For sales, they are most likely to click on attacks that appear to be from social media platforms. This is why training as well as phishing simulations need to be customised to the individual.

4. Missing just-in-time risk intervention training

The moment when a person realises they’ve made a mistake is one where they are uniquely susceptible to learning, and retention rates are much higher due to the emotional trigger of the mistake itself. This is why it's incredibly important that you don't omit that training in order to exploit your users. The reality is that if a user clicks on a phish there could be thousands of attacks behind it that will instantly compromise the system and there is no value in finding out whether or not you can trick the user into submitting their credentials. Exploiting your users not only causes you to miss out on a critical educational opportunity, but it also tends to leave the user with a bad taste in their mouth and causes resentment against security awareness training initiatives and broader teams.

Read more from us

The moment when a person realises they’ve made a mistake is one where they are uniquely susceptible to learning

3. Training programmes omit learning sciences and behavioral psychology

There are a lot of studies that have gone into understanding the science of learning as well as behavioral sciences to better comprehend how we impact people's behavior in a positive and meaningful manner. Unfortunately, this field of science is far too often forgotten when it comes to cybersecurity and even employee training as a whole. Embrace learning and behavioral science because it's the difference between talking about a ‘human firewall’ [employees trained to recognise malicious attacks] and actually creating one.

2. Not measuring programme effectiveness properly

There are only three metrics that are important measures of a cybersecurity tool’s effectiveness, and they are:

  • Does the tool reduce the number of cybersecurity incidents?

  • Does the tool reduce your time to detection?

  • Does the tool reduce your time to resolution?

  • Security Awareness Training programmes should be able to have a positive impact on a minimum of one of these metrics above. And never forget your number one metric: are we reducing the number of cybersecurity incidents?

1. Not enough phishing simulations

The average user is more than 70% less likely to fall for a phishing attack they have seen before, and this is why it's so important to simulate the threats facing our companies. Phishing simulations are the best way to educate your team. That means the more types of attacks we can simulate, the better prepared our users are for these attacks. Phishing simulations train the subconscious side of the brain to be better at detecting phishing attacks.

You are currently previewing this article.

This is the last preview available to you for 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.