Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Tuesday, September 26, 2023

Do You Agree With What Is Said Here? I Reckon It Is Rubbish!

This popped up a few days ago:

Sacking staff who click on malicious links does more harm than good, says security boss

By Joseph Lam

12:01AM September 20, 2023

Harsh penalties including sacking staff who have clicked on a malicious link will do more harm than good for cyber security, says a former ADF intelligence officer who now handles security for a major multinational IT company.

Accenture security lead for Australia and New Zealand Jacqui Kernot said she was “vehemently opposed” to the idea, which has been a talking point across the nation for the past two days.

Cyber security awareness teams should wanted staff to fall for internal campaigns so they could be taught what a successful phishing email looked like and be educated on how to avoid them, she said.

“On people being sacked for cyber awareness campaigns and clicking on too many links, I’m vehemently opposed to that,” she told The Australian.

The comments came after it was revealed this week that the Australian Securities and Investments Commission would target directors and executives who failed to secure their companies and prepare for cyber attacks.

On the back of ASIC’s warning to business leaders, many have come forward with their own ideas on how to improve security and prevent breaches, including sacking staff or limiting their internet access.

Ms Kernot, who has held security roles at IBM, Telstra and EY, said that such penalties would only discourage staff from clicking links altogether and could have some impact on business. 

“Where there are big penalties for failure around cyber awareness campaigns or clicking on links, what happens is you don’t get people to engage with it because they’re scared of getting the wrong answer,” she said. “And you don’t want to start disabling the business.”

Tying metric-based goals to internal cyber security campaigns might also limit the effectiveness of those campaigns, Ms Kernot said. “If the metrics for the cyber awareness team are to get fewer people to click on links, they’re going to design campaigns that make phishing tests obvious,” she said.

Some of the more innovative cyber security teams had turned to the gamification of internal campaigns and testing.

More here:

https://www.theaustralian.com.au/business/technology/sacking-staff-who-click-on-malicious-links-does-more-harm-than-good-says-security-boss/news-story/e12cb1dde45368f747dafc780a5b561d

I have to say I reckon this is rubbish! My view is that you are allowed one ‘learning experience’ and after that clicking dangerous links should have serious consequences!

What do others think?

David.

Posted by Dr David G More MB PhD at Tuesday, September 26, 2023

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)