Workers are on notice, with some organisations admitting they would sack anyone who clicked on a phishing email if they had been given appropriate training in what to look out for.

As organisations impose safeguards to prevent against the growing tide of cyber breaches hitting Australia, the topic of penalties for workers who click on dodgy or suspicious emails has been raised.

Frank Lombardo, chief technology officer at Melbourne’s Insignia Financial told a recent cyber summit that clicking on suspicious links should be a firing offence.

Lombardo told the audience that Insignia tested its employees daily by sending them phishing simulation emails to see who clicked on them, as part of an education and awareness exercise.

While a sacking isn’t immediate, it could be appropriate action to protect an organisation after multiple failures to detect phishing or malware attacks. Otherwise, organisations should consider restricting a worker’s internet access to the intranet only, Lombardo said.

“Ultimately, you need to recognise that if you’ve done everything that you can and if there’s a weakness, and if at that human level and the human just isn’t getting it, then you do need to take appropriate action, because the consequences are severe if you get it wrong,” he has said publicly.

His comments came after high-profile cyber breaches at Optus, Medibank, Latitude and most recently, Pizza Hut.

While we don’t know how these breaches have occurred in each case, it is well understood that humans inadvertently clicking on phishing emails are a common cause for concern for organisations, particularly given that so many workers access company information remotely these days.

So far this year, Australians have lost $21,177,395 across 72,471 reports to phishing scams, with 20,000 of those scams sent via email, up substantially in the last year, according to Scamwatch.

Most organisations spent a great deal of time and resources detecting and mitigating external threats, but few made the same investment in addressing internal threats, Adrian Covich of cybersecurity business Proofpoint said.

Insider threats costs organisations $US15.4 million in 2022, up 34 per cent from two years prior.

Organisations should prioritise a people-centric approach, he said.

“A notification system that alerts end users to policy violations and requests a justification are also great guardrails that can reinforce good behaviour and allow employees to effectively recognise and respond to phishing emails,” Covich said.

‘Testing’ workers  inappropriate

Despite that, human relations experts have told The New Daily that sacking a worker for clicking on a phishing email was completely inappropriate.

They agreed that – given the constant changes in the cyber landscape – training and education were far more important, as well as being on alert.

But not everyone agreed. Anna O’Dea of recruitment company Agency Iceberg said the thought of a manager intentionally sending out phishing simulation emails to staff to see who clicked on them as a ‘test’ was terrible.

“I’ve worked in the recruitment industry for more than a decade and know first hand that people don’t leave jobs, they leave people and leaders that they don’t respect. I would be very interested to know the staff turnover [and anxiety] rate at Insignia Financial,” O’Dea said.

Now Actually Human Resources strategy and compliance manager Jess Gleeson agreed several steps should come before such an aggressive approach.

Managing people is a lot trickier than a piece of technology. The common sense approach would be to address the cause, not the concern, Gleeson said.

Workers inadvertently clicking on phishing emails is an issue for organisations. Photo: Getty

“If an organisation can only manage the success of their training by trying to use deception and fraud to evaluate its success, isn’t that saying something about the quality of the training?”

“What does this do to the culture of the organisation, where employees then have to be on alert to determine whether or not management is trying to trick them or test them to do their job effectively?

“It doesn’t encourage collaboration, inclusivity, or a caring and nurturing culture. Instead, it promotes one that is punitive, doesn’t allow for mistakes and doesn’t trust the employees,” Gleeson said.

Stephen Roebuck, associate director for employment relations company Employsure, agreed that phishing attacks were getting increasingly sophisticated and that jumping to disciplinary action as a solution for what could be a knowledge gap was unfair.

While misconduct can be a valid reason for dismissal, it would need to be a case of repeatedly clicking on phishing emails despite rounds of training.

“Employers that have a clear policy in place can legally take disciplinary action against employees who fail to follow reasonable management directives that put the business at risk.

“Without such policy, employers may be unable to take action when employees misuse company property, whether intentionally or negligently,” Roebuck said.

Most organisations will have processes for when this occurs, so ask your boss what they are if you don’t already know.

And if you do click on an email you suspect is a phishing scam from your work email address, disconnect from the internet and contact your IT department or supervisor immediately.