When my colleagues Claire O'Malley and Brian Kime wrote their blog post "Point/Counterpoint: The Ethics Of COVID-19 Phishing" in March, it turns out they were inadvertently predicting an event that took place last week: An employee took to social media to speak out about a highly insensitive phishing simulation.
Tribune Publishing Company, publisher of newspapers like the Chicago Tribune and The Baltimore Sun, conducted an ill-timed phishing simulation. The email was offering targeted bonuses of $5,000 to $10,000 to the remaining staff that had survived an ongoing wave of pandemic-spurred firings and pay cuts. Users were prompted to log in to view their promised bonuses, and, in doing so, they were met with an alert of how they had just failed a phishing simulation test.
A Thoughtless Campaign Phishes Away Brand And Goodwill
This presumably inadvertent misstep resulted in a negative experience for all involved:
- Already struggling employees got an extra slap in the face with a phish. The pandemic has introduced a significant amount of stress around reentry to work, burnout, financial instability, health concerns, and anxiety about job loss. Loss of jobs and wages exacerbates the stress on employees. In this instance, the reception of employees receiving this phishing simulation that claims to pay a bonus to those who've already lost so much could not have been direr.
- The organization's brand took a hit. How you treat your employees defines your brand and values as an organization. Customers, business partners, and future hires are watching how and if your firm places an emphasis on employee experience (EX), as they make decisions about their relationship with you. Tribune Publishing Company's employees took to social media to register their outrage; others joined in amplifying the outrage, putting the organization's brand through the wringer at the worst possible time.
- The vendor's image was hurt, despite taking steps to manage this risk. The vendor, KnowBe4, did not initiate the simulation, and it took many steps to educate customers about the ethics of phishing and clearly marked its controversial templates, as KnowBe4's CEO pointed out. However, this did not spare the vendor from the public's ire, as many publicly criticized the vendor that provided the phishing template. Cybersecurity vendors should be wary that the way customers use your products and services can impact you as a provider, no matter how much you might attempt to distance yourself from it.
- Security's already tarnished reputation faced more negativity. Security has long held the reputation of being a team of fun-ruiners who regularly tell the rest of the organization "no" and place inconvenient restrictions on employees' everyday tasks, including distributing security quizzes and phishing tests that can be annoying and unnecessarily deceptive. Security practitioners have been working hard to improve security's image by creating positive associations with security and reworking security practices. However, an incident like this sets the clock back and forfeits some of the goodwill earned.
Controversial Phishing Simulations Can Damage EX
The counterpoint supporting the use of controversial simulations is that attackers are not above using the very same tactics in question here — and that's true. The difference is that attackers have no obligation to treat the employees in your organization with respect and empathy — your security program does. Your security awareness and training programs (including phishing simulations) are your face to the organization. The importance of remaining ahead of adversaries does not give you license to hurt the very people you're trying to engage. Be intentional about the examples you're using for your simulations and consider the following:
- What is the potential impact of this simulation on employees' mental health?
- Is this simulation realistic, necessary, and empathetic?
- How will the tone of the simulation be perceived by employees?
- Does this benefit the humans on the other end?
- Am I being smug and gaming with employees, or am I genuinely trying to change behavior?
- Is there another way you could be communicating this message?
The Tribune Publishing Company could have educated their employees about the dangers of phishing with a simulation that prompts them to check their vacation balance, log in to a virtual meeting, or a variety of other non-pandemic and non-fear-inducing wording.
Additionally, be consistent about the way you provide pandemic updates. For example, provide business-related pandemic updates via virtual meetings instead of mass email chains. That way, your employees will also recognize that if they see an email containing pandemic updates and click prompts, they'll know it's from an attacker with malicious intent and not a manager or HR.
Make Influence And Empathy, Not Shame, The Names Of Your Game
Education and shame are not synonyms. You may win the battle, but the war is much bigger. Continue your phishing simulations and your security awareness and training campaigns. These efforts, however, don't tell the full story. As a security leader, your bigger opportunity is to engage, influence, and benefit your employees as well as your organization's customers, and even society. You do this through careful planning and positively influencing and engaging your stakeholders. In this environment, more than ever, make empathy your new superpower in all the big and small things that you do, such as walking the floor, managing your teams, engaging with your stakeholders, and yes, even phishing simulations.
This post was written by Principal Analyst Jinan Budge with a team of analysts, and it originally appeared here.