Handling repeat offenders correctly and respectfully is easier than you may expect, assuming you’re prepared with your “why” statements.
Before beginning a remedial program, where you will provide accountability measures for employees who demonstrate policy violations and lack of phishing identification ability, ensure you have clear reasons for having such a program in the first place.
It is best to align these with your industry and specific to your brand if possible.
Financial services investment firm as an example:
We are not Netflix or Walmart; if we are breached, another company doesn’t just pick up the market share. If we are breached, we could cause a global financial incident and damage our client's ability to provide for and protect their families by putting their financial well-being at risk. These risks are not the same. For this reason, we have an elevated and unequal expectation from the PUBLIC to ensure we protect the data we are entrusted with.
Action plan:
I believe in accountability at all levels of an organization where a security culture is paramount. This does not, however, mean you go around firing anyone who makes mistakes. For those that are introduced to your “remedial accountability schedule” <see separate page for more> have a plan for two types of folks assigned to it.
If you have an employee who progresses to the top of your schedule and again makes a mistake, I suggest considering the following:
If:
An employee demonstrates humility and authentic desire to learn and better themselves, providing further attention and engagement opportunities is more than acceptable and demonstrates a fair operational culture. Do however, consider if network access needs to be removed or suspended for privileged access folks.
But if:
An employee says things such as “this program is ridiculous and unnecessary,” or “The last place I worked at learned the hard way not to hold people accountable,” or otherwise neglects to take self-accountability and demonstrate a desire to better themselves, fire that loser. Consider this frame of mind to help yourself understand the notion:
If you yourself make these ridiculous claims, which are essentially crys to be told, “oh don't worry, you’re right it’s too hard to learn basic cyber hygiene,” simply in hopes your boss will get off your back about it and you can go back to doing whatever you want whenever you want, ask yourself - If I were to protest in the parking lot, my organization’s firing me for being unwilling to even try to learn basic phishing awareness in order to protect the public’s data, will the public come to my aid or instead laugh at you?