Sacking staff who click on malicious links does more harm than good, says security boss
Harsh penalties for staff who click with their computer on dodgy links doesn’t teach cyber security, says a former ADF intelligence officer who’s now the security lead at Accenture.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
Harsh penalties including sacking staff who have clicked on a malicious link will do more harm than good for cyber security, says a former ADF intelligence officer who now handles security for a major multinational IT company.
Accenture security lead for Australia and New Zealand Jacqui Kernot said she was “vehemently opposed” to the idea, which has been a talking point across the nation for the past two days.
Cyber security awareness teams should wanted staff to fall for internal campaigns so they could be taught what a successful phishing email looked like and be educated on how to avoid them, she said.
“On people being sacked for cyber awareness campaigns and clicking on too many links, I’m vehemently opposed to that,” she told The Australian.
The comments came after it was revealed this week that the Australian Securities and Investments Commission would target directors and executives who failed to secure their companies and prepare for cyber attacks.
On the back of ASIC’s warning to business leaders, many have come forward with their own ideas on how to improve security and prevent breaches, including sacking staff or limiting their internet access.
Ms Kernot, who has held security roles at IBM, Telstra and EY, said that such penalties would only discourage staff from clicking links altogether and could have some impact on business.
“Where there are big penalties for failure around cyber awareness campaigns or clicking on links, what happens is you don’t get people to engage with it because they’re scared of getting the wrong answer,” she said. “And you don’t want to start disabling the business.”
Tying metric-based goals to internal cyber security campaigns might also limit the effectiveness of those campaigns, Ms Kernot said. “If the metrics for the cyber awareness team are to get fewer people to click on links, they’re going to design campaigns that make phishing tests obvious,” she said.
Some of the more innovative cyber security teams had turned to the gamification of internal campaigns and testing.
One successful example, Ms Kernot, said was from a company which tied a phishing campaign to a certain staff member’s pay slip. An email was sent around to all staff with a senior staff member’s name and pay in the subject.
“It was quite compelling to look at, to see what that person was getting paid. If they’re the same, you know, rank as me or whatever,” she said. “The numbers spiked right back up to well over 50 per cent (of staff members opening the email).”
Companies whose cyber awareness teams are creative and come up with enticing campaigns tied to education tend to succeed.
“What you want to do is constantly be getting people to think and engage with the (internal) campaigns to get the messaging out,” Ms Kernot said. “If they‘re in a state of fear and terror that they might get the sack if they engage with the next campaign, I don’t think you’re really hitting the mark there.”
More Coverage
Originally published as Sacking staff who click on malicious links does more harm than good, says security boss
Mt Isa rodeo bites the dust as administrators saddle up
The 65-year-old Mt Isa Rodeo has bitten the dust, appointing voluntary administrators after a downturn in tickets sales this year hit the bottom line.
MinRes plummets as Ellison revelations spark crisis
Mining giant Mineral Resources is in crisis talks with investors after shock revelations around its governance and the conduct of its talisman founder and managing director Chris Ellison.