This popped up a few days ago:
Sacking staff who click on malicious links does more harm than good, says security boss
By Joseph Lam
12:01AM September 20, 2023
Harsh penalties including sacking staff who have clicked on a malicious link will do more harm than good for cyber security, says a former ADF intelligence officer who now handles security for a major multinational IT company.
Accenture security lead for Australia and New Zealand Jacqui Kernot said she was “vehemently opposed” to the idea, which has been a talking point across the nation for the past two days.
Cyber security awareness teams should wanted staff to fall for internal campaigns so they could be taught what a successful phishing email looked like and be educated on how to avoid them, she said.
“On people being sacked for cyber awareness campaigns and clicking on too many links, I’m vehemently opposed to that,” she told The Australian.
The comments came after it was revealed this week that the Australian Securities and Investments Commission would target directors and executives who failed to secure their companies and prepare for cyber attacks.
On the back of ASIC’s warning to business leaders, many have come forward with their own ideas on how to improve security and prevent breaches, including sacking staff or limiting their internet access.
Ms Kernot, who has held security roles at IBM, Telstra and EY, said that such penalties would only discourage staff from clicking links altogether and could have some impact on business.
“Where there are big penalties for failure around cyber awareness campaigns or clicking on links, what happens is you don’t get people to engage with it because they’re scared of getting the wrong answer,” she said. “And you don’t want to start disabling the business.”
Tying metric-based goals to internal cyber security campaigns might also limit the effectiveness of those campaigns, Ms Kernot said. “If the metrics for the cyber awareness team are to get fewer people to click on links, they’re going to design campaigns that make phishing tests obvious,” she said.
Some of the more innovative cyber security teams had turned to the gamification of internal campaigns and testing.
More here:
I have to say I reckon this is rubbish! My view is that you are allowed one ‘learning experience’ and after that clicking dangerous links should have serious consequences!
What do others think?
David.
No comments:
Post a Comment