Recently, a British company sued a former employee over the fact that the employee fell for a Spear Phishing attack aimed at their CEO, that resulted in her sending a nefarious actor almost $250K USD of the companies funds.
You can read all the details here.
This action represents a significant change in how cyber breeches and phishing attacks such as this are viewed by the business community. Traditionally, the ultimate responsibility for financial loss due to hacking or phishing activity lay with the company. It was incumbent upon them to implement compensating controls – educating their workforce, purchasing cyber-security insurance, etc.
This actions represents a fundamental shift in the responsibility for these breeches. Rather than the employer accepting that responsibility, but suing their own (former) employee, they are essentially stating that the responsibility to NOT FALL FOR IT lies with the employee.
It is all very well and good to put the burden for your companies cyber security on your employees, but if you are going to do that, you need to provide them with appropriate training. Employees do not just instinctively know how to recognize a phishing email. Especially not the finely crafted examples that usually constitute a Spear Phishing attack – an attack focused on a specific, high-level manager/executive within a company.
In this particular case, the employee who fell for the Spear Phishing email had received no training whatsoever on how to recognize a phishing email. Let me say that again: The employee received no training on how to recognize a phishing email.
So who’s fault is it?
Is it just and fair for an employer to hold an employee accountable for something they have not been trained on? Is it not the responsibility of the company to obtain and maintain appropriate cyber security insurance?
This case sets a precedent that employees around the world need to take notice of. Gone are the days when you could just ignore cyber security and say it was “the companies job to take care of that”.
Each and every one of us is responsible for cyber security. As an employer, you must provide appropriate training and resources for your staff before you can expect them to respond appropriately to a cyber or phishing attack.
As an employee, we all need to take responsibility. We must be diligent and attentive. Look for the tell-tale signs of a phishing email. Question everything. If you don’t you could find yourself on the losing end of law suit brought by your employer.