On the one hand, I have argued before that we need to hold people accountable because, without a stick, our people will not have as much of a reason to care in the first place. On the other hand, a couple of the stats from the report that Doug pulled out tell me something different:
“Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT.
Yes, there need to be consequences, but if we create consequences that incentivize people to try and hide mistakes instead of getting immediate assistance from IT and security experts, we may do a lot more damage.
Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020.”
This is a cultural issue. Attackers know this works, and it works for one reason. The culture does not allow for questioning senior executives. If the threat of what will happen to you for not jumping when an exec says jump is worse than the threat of getting phished, well, you know how that’s going to end, don’t you?
It’s a tough balancing act, but some of the stats in this report might help us all make better-informed decisions.
What takeaway will you remember for your own security training in the future?