Statistical reality aside, employees’ perception is that the odds are dramatically against them opening a contaminated attachment and having damage result and having that damage traced back to the employee’s actions.
In short, employees are rushed and they think it’s a decent gamble to open attachments that at least look legit. (The really bad ones are easy to dismiss.)
If a company is serious about getting people to strictly and routinely use proper security, it needs to improve those odds. Bosses should send and track attachments that their staffers did not expect. Anyone who opens one without checking should face some consequences.
It could be a small amount of pay docked, or it could be the reverse: a small amount of money that is awarded to people who, over the course of a month, never clicked on one of the trap attachments.
Call this catching employees at being good, if you will. But somehow, you have to convince people to behave properly, and money is the only effective motivator you have.
Sign up for CIO Asia eNewsletters.