I’m often contacted by CEOs or managers after a business experiences a cyber incident that results in real damages. After describing the event, they often ask if they should fire an employee who fell victim to a social engineering attack (vishing, phishing, credential harvesting…). In most cases the answer is a resounding NO! First, the business just spent the amount of the loss training the individual because that person will never again fall for the same type of attack. Second, it is HIGHLY likely that the manager and/or company failed this individual by not implementing the proper controls and providing the proper training to prevent the breach in the first place. Third, if you do fire the employee, they will likely go to a competitor who will be happy to have a good employee who is more savvy than most about cyber risk.
If you own a business or have responsibility for managing business risk you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. It’s on you! It is likely that you’ve delegated responsibility for IT support and cyber security, but you are the leader and you are responsible for defining your expectations and supporting the initiatives to implement controls, procedures, and training. If you haven’t implemented controls and trained your people, it’s on you. Don’t fire the employee who fell victim to an attack. Step up and protect your employees.
– David Lewien, President
Your credentials can be phished, period. If you think you’re above being phished, you’re wrong. We all have weak moments and the criminals are really good at praying on our whims and emotions. Trust me, you can be phished. Don’t put so much pressure on yourself. Implement multi-factor authentication (MFA) wherever possible to protect your accounts even if you are phished. This is so important that we put together a video to show you how. Watch this video. Please just give us a call if you want help or want to discuss additional configuration options to ease implementation for your business. We will be happy to help.
If you don’t know anything about Office 365 Multi-Factor Authentication please check out our blog and video from December 2017 for a complete overview https://www.gowestit.com/office-365-multi-factor-authentication.