Cybersecurity & User Error

PROLIFIC_PID

Use a security tool (e.g. email gateway reporting button)

Employees decide themselves / no formal process

We discourage reporting unless clearly malicious

They click or proceed with the action anyway

Phishing or impersonation attempts reaching employees

Business email compromise (BEC) or invoice fraud attempts

Specific phishing training (e.g. simulations)

Report phishing email buttons in email clients

It’s great - end-users retain the knowledge

It’s more of a compliance checkbox than an actual protection mechanism

It’s outdated and doesn’t mirror modern threats

End-users complete it because they have to

Yes - still very fit for purpose/accurate

No - less fit for purpose than it was before

We use an IDP (e.g. Okta) in front of ALL our SaaS applications

We ask end-users to use MFA - and we track it

We ask end-users to use MFA - but we don't have visibility if they do

We enforce usage of a password manager for all users to keep passwords rotated/updated

We don't think this is something worth addressing

This is something we'd like to address but don't have a solution for