How would you handle individuals who just can't stop clicking repeatedly on phishing emails? Do you do corrective training and/or implement technical solutions (e.g. defanging) and at what point do you get 'punitive'? At what point would you dismiss the employee for lack of 'cyber competence'?
Sort by:
We provide annual mandatory training for all staff. I would suggest targeted training for those individuals that fail. Unless the person's job is within IT security it does not seem appropriate to discuss dismissal but work on education and practice to better identify phishing emails.
We do monthly phishing tests, if you click on one, you get a short, required eLearning assignment. If you click twice within six months, you get a second, more thorough, required eLearning assignment. We don't have a more punitive punishment in place, though I wouldn't dismiss it as a possibility.
We do quarterly awareness training campaigns, and occasional phishing tests; those who fail are targeted for remedial training.
Unfortunately, the serial offenders are often the same who fail to test and are executives...
We provide annual training and all screensavers caution users. We send test messages out monthly. If they fail the test message and click on it, we provide training for the first three occurrences. If they exceed that in any 6 month period, we refer them to their manager and HR for disciplinary action.
We conduct similar training. In addition, we also have internal blogs to raise awareness across the organization, send test phish emails where we track who has clicked on the link and who reported it as phishing. Within IT, we have a report tracking leaderboard on who has not clicked on a phishing email for the past quarter raising additional awareness.