Recently, a fellow CISO asked a group of us if we “punished employees who consistently failed to recognize phishing emails.” This created a great discussion with most folks agreeing that punishment rarely works and often has negative effects (including potential for legal action). After all, hackers take advantage of people’s willingness to be helpful or efficient and isn’t that the behavior we want from our employees?

The discussion then turned toward “how often do you phish your employees” by conducting a formal phishing campaign? The answers ranged from every month to once a year.

This “phishy” discussion got me to thinking – why are we so focused on phishing our employees?  And why do we spend so much time trying to “correct their behavior?” Don’t get me wrong, I’m not saying we shouldn’t educate employees regarding phishing and help them more easily identify suspicious email. Simulated phishing campaigns can help measure the effectiveness of your training but I’ve seen organizations that spend a lot of resources conducting the campaigns and reporting the metrics, and very little time conducting the actual training. That would be like a math teacher giving students a pop quiz without doing much more than showing kids what a math problem looks like on the first day of school. Consider the effectiveness of your training program as you review metrics, don’t just continue to phish.

Likewise, when we think about the rest of security, we realize it’s people, process, and technology.  Yet email protection often degrades to just the people equation – and only a piece of that (campaigning).

  • What about technology and process?
  • Are you doing everything you can to keep malicious email from even coming into the organization?
  • How effective is the filtering of email before it even reaches your employees?
  • Are you using DKIM, SPF, and DMARC?

From a process perspective, have you made it really easy for your staff to report suspected email – and more importantly, are you giving them feedback on what they report?

There are other things you can do to help mitigate the risk of employees making a mistake and clicking on a malicious email. Be sure you and your IT department are looking at the people, process, and technology involved in handling a situation where someone has clicked a malicious email.

Bottom line, it’s not all about phishing our staff until they’re afraid to open anything. It’s about taking the same layered approach to malicious email that you do to any security scenario.

If you have any questions or concerns please don’t hesitate to contact me at

Be safe. Be Secure.