What sort of rewards do employees get for successfully reporting suspicious emails or other kinds of phishing?

Security Strategy & Roadmap Awareness & Training

2k views2 Comments

Sort by:

Director of Engineering2 years ago

Whilst we do not (generally) reward users for successfully reporting simulated, or even legitimate phishing mails, we do recognise their efforts. However, during the Security Awareness Week in Oct, we have used prizes for users who complete all training and successfully identify the phishing emails sent during that week.

I think that recognition, resulting in closing the loop, awareness and learning are the best outcomes to drive behaviour.

Head of Information Security in Services (non-Government)2 years ago

We don't currently offer rewards for reporting phishing, but it's something we're interested in pursuing. We want to reward good behavior and, when people do report phishing attempts, we also want to tell them whether it actually was or was not a phishing email. Through certain platforms, you can provide that affirmation for positive identifications and if an email is mistakenly reported, you can tell the user that it wasn’t phishing but thank them for reporting it anyway.

Content you might like

We are on the cusp of conducting a pilot of AI tooling - we intend to use Gemini & CoPilot, providing training, guidance & policy to our user group. Before we start we should conduct a risk assessment - my question is: can you recommend a tool or template?

How does your organization handle security team involvement in change requests submitted to CAB/RAB — specifically in relation to formal security review and approval?

Always required – Security must formally review and approve every change request.11%

Required for security-impacting changes – Security reviews only changes flagged as having potential security implications. Please comment : Who decides which changes require security review and which do not ? Is this determination manual or automated? How do you avoid gaps or oversights in this process ?82%

Not required – Security does not review changes submitted CAB/RAB by other teams. 7%

Risk-based or automated – Security involvement is determined by a tiered model or automated risk scoring within ITSM.

View Results

Ransomware negotiator Retainer? Do you currently hold a retainer with a ransomware negotiator consulting firm? If so any recommendations?

How are you addressing technical debt risk resulting from AI coding tools? Have you established specific processes to manage vulnerabilities in AI-generated code, and are you collaborating with software engineering or other teams using these tools?

In the next 6 months, which will your company do?

Invest more in eCommerce34%

Maintain the current investment in eCommerce60%

Invest less in eCommerce4%