Something happened this week that really drove home the personal side of cybersecurity. A UK train operator conducted a ‘simulated phishing campaign’. Put simply, a firm’s senior management team launched a phishing attack on their own staff to induce them to click on something that they don’t actually want them to click on.
The human cost
It’s difficult not to put a human face on the person who received that email. It came from the top, he thanked them for their hard work and acknowledged that a huge strain was placed on them during the pandemic. In recognition, a one-off bonus. How good does that sound? Pretty good.
It’s not difficult to imagine how staff must have felt rewarded and delighted that their hard work during a pandemic was recognized and appreciated. It’s also not hard to imagine the dismay they felt when so quickly their hopes of receiving this bogus bonus were dashed. It’s a heartless way to behave, but it looks as though senior management may not escape unscathed.
The potential fallout
Within contracts of employment there is an implied term of trust and confidence. Researchers have long warned that there are no discernible benefits to emails like this. Firms must not conduct themselves in a manner likely to destroy or seriously damage the relationship of trust or confidence. Difficult to argue that this email doesn’t seriously damage both. The potential for constructive dismissal cases based on this email alone is real and could yet prove painful.
It creates another headache. The backlash has been fast and furious. Destroying hard earned reputational capital with a stunt like this runs contrary to the directors’ obligation to promote the success of the company, and one can well imagine controlling shareholders being broadly displeased with the negative press.
The firm’s defense that this is what criminals do is total nonsense. Criminals do lots of things, we don’t copy them!
Researchers have warned that staff long feel the effects of opening and responding to that email, and that leads to decreased productivity. While human factors experts recognise it as an exercise in futility, essentially they warn that firms are training staff for an impossible task.
So what do the experts recommend?
Top of the list is: deploy technical security measures.
What might that look like for your business?
- Use a modern cloud email vendor such as O365 or G Suite. Accelerate those cloud migrations if you haven’t done so already and ensure you have a robust 2FA policy to minimise the risk of account takeovers.
- Adopt modern email security standards such as DMARC to protect your customers, supply chain and yourself from impersonation.
- Deploy technical solutions alongside your cybersecurity awareness training to help your employees spot and report fraudulent emails that make it past your layered defences.
By relying on expert advice to provide your team with the right equipment, your business can flourish, maintain trust and confidence, and avoid negative press. Red Sift works with global firms to implement sensible technical security measures to defend their business and people.