Should repeat offenders be sent to maximum security?
If you’re familiar with phishing simulation programs, you’ve heard the term “repeat offender.” It’s a condemning term used to describe people in organizations who consistently click on simulated phish sent by the security team.
I’ve been listening to people discuss repeat offenders for years: while attending webinars, at training classes and conferences, and when I managed the training and awareness program for a large company. If you listen regularly to the repeat offender buzz, eventually you’ll hear from those who believe disciplinary actions are the best response. In my current role working for a security education provider, I’m in frequent contact with a remarkable community of peers from other companies. We all agree on the best thing to do with repeat offenders: help them.
Don’t get lost in the buzz — your program is there to train and educate
Your phishing program is first and foremost about education. Your goal is to evaluate and benchmark the phishing resilience of your workforce, then train employees to increase resiliency and reduce risk.
If you view your phishing program as punitive pentesting for humans, instead of as an educational tool, you’re not getting the full value from your program.
You might think companies with tighter security controls in place would take a more punitive approach to their phishing simulation program. That’s not the case. In my experience, most companies with mature, well-funded security programs (think financial services, defense contractors) run phishing programs with an educational focus. Conversely, I’ve seen companies with less mature security programs run punitive phishing programs out of their SOC or CIRT.
Frankly, it’s easier to run a punitive program. You don’t need to engage with people. You don’t need to take the time to sit down and understand what makes people click. You don’t need to invest time in one-on-one training. If you hide behind a screen, lob tricky emails at people and then report numbers, you don’t have to engage. You don’t have to train. You don’t have to truly educate. But you’re doing your organization a disservice.
You’re not HR
Having said all that, a mature phishing simulation program is incomplete without an escalation process for repeat offenders. While you shouldn’t release the names of people who occasionally get snagged by simulated phish, there comes a time when it’s appropriate to expand the conversation about the short list of people who click on every phish, every time.
Keep in mind, escalate employees only when you’ve tried everything you can to educate them — including one-on-one training and conversations. A sample escalation path might look like this:
- Email to the repeat clicker with a cc to their supervisor
- Email to the employee, cc their supervisor and HR
- Email to the employee, cc their supervisor, department leadership and HR
- In-person meeting with the employee, their manager and HR
- Disciplinary action (up to and including termination)
When you’ve done everything possible and it’s not working, let HR and Legal do their jobs. Our job in security is to protect our organization and our employees, not discipline employees. Leave that to HR and the business.
If your organization is at the early stages of a program, give your employees three to four phishing simulations before you implement an escalation process. For many organizations, starting a program is a huge cultural shift. Give your training and awareness efforts a chance to percolate and allow employees time to adjust their behavior.
You’re a pro at risk
The risk repeat offenders present should be managed the same way any other risk is managed. Mitigate with additional training — CBT’s, one-on-one training and additional phishing simulations that reinforce good security habits. You can also mitigate with technical controls, such as:
- Removing Internet access
- Blocking external emails
- Tuning endpoint controls
None of these should be done until you’ve followed your processes for addressing any other serious risk to the business: conduct a risk assessment and communicate with the business leads. Identify the data and systems the employee can access. Map out what’s truly at risk. What could happen and how likely is it to happen? Mitigating with technical controls that could inhibit the person’s ability to do their job should only be done in conjunction with your leadership and the employee’s leaders. Don’t go rogue.
You’re not their boss
Provide the risk assessment to the repeat offender’s supervisor, along with reporting on their phish clicks, CBT training completion, and all other efforts you’ve made to train the employee. Agree on the appropriate mitigation steps. If you’ve done all you can, and collaborated on the escalation process, it’s up to the business to accept the risk this person represents. It’s a business decision to keep or release the employee. It’s not a security decision. If the business opts to accept the risk, don’t give up your efforts to educate and train. One day all your hard work might pay off and the light may go on in the repeat offender’s head.
Bear in mind your goal is to break the repeat offender’s cycle of blunders though education and training. Take ownership for doing everything in your power to help these employees succeed. If it works, you might just be able to turn those repeat offenders into vocal advocates for you and your phishing program.