User awareness: In cybersecurity it’s a constant battle, and one fought on multiple fronts. Regular reviews of policies and procedures are important, but so is real-world testing. Pretext calling, physical breach attempts, phishing tests… experts agree they’re vital tools for education and awareness.

Knowing this, a hospital system in Newfoundland recently engaged a firm to conduct a phishing test, and the ruse used by the testers was enticing: a bonus paid day off for workers, who only needed to log in to a website to register for the benefit.

Unfortunately, this test ran at a time when many hospital employees had been facing mandatory overtime.  The result? A lot of angry employees and union representatives, along with unflattering media coverage. Employees argued that the ruse used by testers was “insulting, degrading and disrespectful,” to quote the original article by Garrett Barry in CP24.

We’ve run our own fair share of phishing tests here at infotex (and would be happy to discuss such testing for your own organization), and incidents like this highlight the need to thoroughly review and approve any phishing tests for appropriateness before they’re launched. Indeed, phishing tests are supposed to present an attractive lure, but not at the expense of alienating or appearing to insult the people it’s intended to educate.

In this case, the hospital system in question has decided to make good on the phishing test’s promise and give their employees an extra day of paid time off. We like to believe that both management and employees can learn from a well constructed test, though in this case more careful oversight of the process could have made that lesson a less expensive one.