Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let’s fire every user that falls for a phishing mail! That will solve the problem for good.
I considered it a joke, and I replied pretty much with a rhyme: Let’s train them before we blame them and I didn’t give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I’m inclined to blame the IT deparment more than the user.
On 26th and 27th of March I was invited to participate in the Cyber Security for Critical Infrastructure 4.0 conference organized by Cyber Senate in Amsterdam. It was a very nice conference, organized brilliantly by Alex Matthews and James Nesbitt. Chris Blask was in charge of the coordination of the conference, and we all enjoyed a nice flow of the talks, panels and breaks.