Clicking a link isn’t supposed to have side effects, if it does someone else fucked up.

In my time as a cybersecurity professional, my approach is always to blame the system, not the person.

If they clicked on a phishing link: 1) that email should never have reached their inbox, 2) that link should never have loaded, and 3) our awareness training is not up to snuff.

We have test-phishing mails sent by our IT-Sec team on a regular basis. There’s usually an obvious one and a better made one. First round 10% clicked the obv. one, 99% the good one.

We had a lot of trainings after that.

Last year the numbers went down to 5% and 80%.

If your security concept relies on both of these numbers being zero, you’re an incompetent hack trying to shift the blame on end users instead of doing your job.

True, in many cases there is a whole chain of vulnerabilities and misconfigurations, and everything starts with one phishing mail. For example:

• successful phishing
• VPN without 2FA, allowing the attacker access to company services
• internal services with vulnerabilities, allowing the attacker to compromise a server
• permission misconfiguration, allowing lateral movement

That was the point of this meme. It is not phishing alone that gets the company in trouble, its mostly a series of misconfigurations.

I think that in cyber security, we have to assume that phishing will be successful sometimes - and be prepared when it happens.

Yep and then whatever is trying to execute should be limited by user permissions, app whitelists, EDR / MDR, and a pile of other defenses.