Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).
John LaCour is founder and chief technology officer of PhishLabs, a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure.
LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive.
“We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme,” LaCour said.
“There are a lot of things that organizations can do that aren’t as draconian and still have the desired effect of making security posture stronger,” he said. “We’ve seen companies require classroom training on the first failure, to a manager has to sit through it with you on the second time, to revoking network access in some cases.”
LaCour said one of the most common mistakes he sees is companies that purchase a tool to launch simulated phishing campaigns just to play “gotcha” with employees.
“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” he said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”
Rohyt Belani, CEO of Leesburg, Va.-based security firm Cofense (formerly PhishMe), said anti-phishing education campaigns that employ strongly negative consequences for employees who repeatedly fall for phishing tests usually create tension and distrust between employees and the company’s security team.
“It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security,” Belani said. “Threatening people usually backfires, and they end up becoming more defiant and uncooperative.”
Cofense provides a phish reporting system and encourages customers to have their employees flag suspected phishing attacks (and tests), and Belani said those employee reports can often stymie real phishing attacks.
“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani said. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”
LaCour says PhishLabs encourages clients to use positive reinforcement in their employee training campaigns.
“Recognition — where employees and departments that do especially well are acknowledged — is very common,” LaCour said. “We also see things like small gifts or other things that companies would typically use to reward employees, such as gift cards or small bonuses for specific departments or people.”
LaCour said his offices make a game out of it.
“We make it competitive where we post the scores of each department and the lowest scoring department has to buy lunch for the rest of the department,” he said. “It teaches people there are real consequences and that we all need to be diligent when it comes to phishing.”
What about you, dear readers? Does your employer do phishing awareness training and testing? What incentives or disincentives are tied to those programs? Sound off in the comments below.
Where I work (financial industry) everyone has to attend at least one annual classroom training that covers security topics including social engineering and phishing. They do simulated e-mail phishing campaigns throughout the year, and even have people come on premises to do social engineering and try to get into places they shouldn’t be (back office areas, networking closets, filing cabinets, etc).
Failing those tests are treated as a learning opportunity, and often includes a one on one with their manager to discuss it if its a recurring issue for an employee. Although you have to draw the line somewhere. I honestly don’t see a problem with terminating someone’s employment for continually falling considering all we do to train. Those people become a liability and its not worth the risk if they are unable to change their behavior.
” … even have people come on premises to do social engineering and try to get into places they shouldn’t be (back office areas, networking closets, filing cabinets, etc). ”
It can be dangerous for employees to confront an unknown person who is trying to gain access to an area they should not be. There have to be procedures in place for employees to follow to protect themselves as well as the company’s other employees and equipment.
Who said anything about confronting people? We have branches and corporate locations that have lobbies that the public can walk into. We have people come by and say things like “Hi I am Joe with Comcast. I need to get into your networking closet to troubleshoot an issue”, or, “Im with HVAC company here to perform service”. Stuff like that. Procedure is to ask for ID and a call to IT or Facilities to confirm the appointment.
Sounds like a deficiency in the physical security layout.
There should be no path an unknown person off the street could enter secure work spaces without going through Points of Entry where they need to badge in through a door, or pass a checkpoint for checking ID.
If such a place is so permissive…. it should NOT be upon regular employees to “see something, say something”. Any place reliant on busy non-security or front desk people to spot suspicious characters…. is doing security wrong.
“There should be no path an unknown person off the street could enter secure work spaces without going through Points of Entry where they need to badge in through a door, or pass a checkpoint for checking ID.”
That’s exactly how it works… why else would they ask to be let in? They are testing to make sure procedures are followed.
Firing someone for falling victim to a crime (or a simulated crime) is like arresting someone for having their stuff stolen. I’ve even met law enforcement agents specializing in infosec who have admitted to falling victim to them.
As an infosec professional, I would personally refuse to carry out a phishing test that I knew would cost people their jobs. In fact, I would probably refuse to continue working for an organization that did that. Just because you CAN do something, does not mean you SHOULD.
As an infosec professional you would probably agree that technology solutions can only go so far, and that people are usually the weakest link in an organizations cybersecurity, no? Is there no point at which you would consider terminating an employee for falling for test phising emails even after extensive training? What if they clicked on 20 of them? 50? 100? Imagine if one of them were real and caused real damage, and that employee had documented history of repeatedly failing phishing training. At some point not firing them would be negligence on the part of the employer IMO.
…”failing phishing training. At some point not firing them would be negligence on the part of the employer IMO.” And, John LaCour of PhishLabs, says, “robust training”.
I can think of robust training that still isn’t robust. Training on phishing; but, not including training on email headers, email routing, malicious routing lookups, etc, isn’t extremely “robust” .
I could be convinced that a phish could be so convincing that it could not be determined without making an “out of band” contact–phone call to the originator–or much time investigating beyond the email itself.
I can’t imagine teaching “email headers, email routing, malicious routing lookups, etc” to my doctors. I can see eyes glazing over just thinking about it. We do teach that if an email looks unusual they should call the person that sent it, and I know that has saved us at least three times in the last twelve months.
I also know that I had a user fail 9 phishing tests and during our one on one training tell me that they did not care about email security. It was my job not theirs. They are no longer with the organization.
There are limits to technological solutions, yes. You cannot prevent 0-days you don’t know exist yet.
But there are even harder limits on how well you can train a person to spot phishing. That is why humans remain the weakest link… because they CAN’T BE PATCHED. Training is good, and needed, but it will never be as good as a hard technical solution.
If someone should be fired at all, it should be the people in charge of patch management, application whitelisting, AV, email and endpoint security.
THESE are the things that truly protect from phishing at the end of the day.
Yeah, you can applaud the one or two people who spot a real attack and don’t click the link. But if the attacker was smart and/or patient, they got through somewhere. And the responsibility lies in email and endpoint security for not catching malware, letting malicious code run, etc. There are even solutions for 0-days based on behavior.
UITS (University Information Technology Services) at Indiana University has been rolling a fantastic anti-phish campaign for a diverse and extensive group of users. Modesty aside:
https://itconnections.iu.edu/2018-april/phish-jose.php
Don’t worry about modesty – you have every right to toot your horn. Congratulations on the prizes!!
Had an employee who failed every phish test and seemed impervious to education.
But he didn’t interact with customers, didn’t handle money, and didn’t have write access to anything important.
So it was decided to leave him be but keep watch.
The artcle refers to the phishing test.
John: so, I guess to understand clearer. If I have a fish in a fish bowl, watching it and feeding it, it will continue to be a fish no matter what. That is, it will be curious and swim in circles around the fishbowl. But the phish employee you are referring to is the fisherman who yanks his fish trap into the atlantic ocean to catch the fish as prey.
Is that still considered phishing? I bet it does.
In Office 365 you can prohibit selected employees from directly receiving any external email and while we have yet to implement that solution it is the solution we will use if we need to.
Firing someone over this is a non-starter.
Also, we use SANS for our phishing awareness and since we started the program we went from a typical 7% to 11% of our users to maybe just one or two clicking through. In many tests over the past year NO ONE clicked through and we’re extremely satisfied with the effectiveness of the SANS program.
Perhaps companies should start changing the way they view external communication. Just as you can’t walk into the average business, go find someone and start talking to them (without going through security, having a badge or an escort, etc.) perhaps companies need to rethink who all really need external email versus some approved collaboration tool. I know this is a radical idea that is subject to a lot of disagreement, but email as it stands today is a security cesspool that is only going to get worse. So something has to change.
Yep… with the solutions available today… there is no reason why some users in a group wouldn’t have every external email link and attachment run through a sandbox.
It takes some work to implement properly… but security of the endpoint is really the responsibility of the security team, regardless of the doctrine of “individual responsibility”.
Simply put, attackers are way smarter than average users. So you can’t actually train average users to outsmart them, let alone our below-average users.
Completely agree with you. Before I read your comment I made a similar one this morning about having mail exhanges/servers filtering out anything with spoofed headers, obfuscated URLs, and malicious attachments by running them through scanners, VirusTotal, etc… and failing that, to have policies/training in place to require end-users to do it manually. I think we could even train a monkey to run things through a scanner first before opening them.
Should getting phished be a offense worthy of firing?
Somebody at Ubiquiti fell for a phish that persuaded him to make a large wire transfer. Is that fireable?
One John Podesta got phished, twice, and the resulting breach affected the outcome of a national election. Is that fireable?
I believe anybody who’s “too busy” to get trained to avoid phishing, and who’s “too busy” to try to avoid it, is unfit for public office or any position of public trust.
Agree entirely…
It’s more about people who don’t have any training or leadership in IT Security. There’s a lack of skill and many vacant jobs, so people get phished for there simply not being a manager for team awareness on IT.
If there were more skilled people capable and willing to work for places of the likes of the DNC, it wouldn’t’ve happened, hands-down.
I don’t know if this discussion is at the same level as wire fraud.
When most people think of phishing, they think of clicking links or opening attachments which results in local system compromise of some kind. Not really the overt fraud of convincing someone to wire money.
Banks separate those special users, or should, into their own group. Privilege to initiate wires require additional training, completely separate from phishing.
Furthermore…. wires are forbidden by policy to be initiated by email. So phishing is normally not associated with wire fraud.
In fact, emails that request wires, don’t go to the phishing investigation team… but to the fraud team. Very different team.
“When most people think of phishing, they think of clicking links or opening attachments which results in local system compromise of some kind. Not really the overt fraud of convincing someone to wire money.”
Joe, I think you’re failing to realize something here. You mentioned that phishing typically results in local system compromise, which I totally agree with; however, there is always a motive behind the phish. People aren’t phished just to compromise the machine. Usually it’s a flow of: ‘phish > compromise > intended action of attacker’. After the compromise, this branches off into many, many different options. What’s being seen more frequently in phishing campaigns is the use of ransomware. If this is the case and the company gets slapped with a ransom, they have two options: (1) pay the ransom and hope they get their files back, or (2) ignore the ransom, restore from backup, etc. In any case, the company is incurring some form of loss on behalf of their employee. Do you honestly believe that if this occurs multiple times from the same individual that it’s not grounds for being fired? If that single individual has fallen for phishing multiple times and each time there was some loss observed, this individual needs to be fired. Training clearly isn’t working in that case and they are utterly failing at their job.
“‘phish > compromise > intended action”
Well, using a real attack “kill chain”, this simplified version does make my point.
Just because it is comes sooner in the kill chain, doesn’t mean all responsibility lies there.
If the organization is not practicing Defense in Depth… then they are tempted to throw their employee to the wolves, as the scapegoat, to avoid liability and to avoid addressing the real problem in their security posture.
“In any case, the company is incurring some form of loss on behalf of their employee.”
See?, that is the problem. If you consider the phished employee as the ‘root cause’ of this loss… you are doing security and risk all wrong!
Going back to your simplified kill chain… compromise (privilege escalation, code execution) and intended action (data destruction) are two very serious security gaps. Allowing these to happen, regardless of the initial entry vector… is a bigger problem than phishing.
If someone should be fired because of loss to a company, it is the security team manager/director/executive that failed to protect the organization. It is their job to do security… not users who are trained to do whatever job they do.
Being truly vigilant against even sophisticated phishing… would take more time and cause more loss of business than is reasonable. Training is good, but has diminishing returns. Getting them 99% likely to spot the good phishing emails… means they spent hours every day going over email headers, forwarding for inspection, and ignoring legit emails.
We do phishing tests each month and we terminate employees who fail them (5) five times; fortunately, we haven’t had anyone fail more than (2) two. I don’t agree with someone losing their job over this, but if someone fails that many times, something needs to change, I”m just not sure what it is.
The training plan needs to change. Perhaps these individuals need more personalized training. Oftentimes the C-level executives are some of the worst offenders, are they also being fired?
A mistake is the best training opportunity available. Train your employees to report the email, even if they clicked on a link. By firing them, you’re training them to never report phishing emails.
Most of our employees learn from their first failure, or the failures of their co-workers, and become more aware – you’re right about a mistake being a good training opportunity. I don’t like fear-based training, my superiors see it differently, but I’m still working to positively improve our culture of security. Thanks Sean…
Sounds like they’ve learned to pass the test.
Try a spear phishing with a personally crafted message… and you’ll see.
I like the personally crafted idea, I’ll give that a shot – Thanks Joe!
I have mixed feelings about this. As phishing/malware attacks are becoming more creative so has the awareness. There are some times I feel that individuals do not care about the mock tests as they know that there are no real consequences to them personally. On the business side of things you would hate to be that person that caused a ransomware attack by being ignorant, or getting phished for credentials that caused a breach and/or massive losses.
In other words people become a liability so I feel that there has to be a consequence of some kind but what is that threshold before the company says pack your stuff?
If a person cannot learn from mistakes then its a bigger issue than just testing security awareness but with strictly sticking to phishing in all forms then yes. What will your insurance company say when you tell them “yeah we know he/she was a problem from failing each test we gave him/her”. When is enough actually enough?
You should not run phishing tests to teach employees not to fall for phishing, you run these tests to teach them to report these emails to security.
Agreed. We give incentives to people who report phishing emails and we make it big and splashy. Training for people who fail is done quietly.
The best way to spot a phishing scam is looking at the email meta data (header) and doing a IP number lookup.
Sounds like a job for an email gateway.
Do you dispose of all support messages which come from a Salesforce owned IP address which pretends to be from xyzcorp.com
How about xyzcorp.com messages that come from a Microsoft owned IP address ?
At the University of Auckland (NZ), we are working on an approach to help people aware when they are mostly likely to be vulnerable to make mistakes (like clicking a link in a phishing email). Usually, stress plays a huge role in social engineering attacks. Our idea is to detect when a user is under negative stress and to help them getting out of this situation (we also have some policies that are activated in background – like ringfencing a particular device if the user is too stressed). We use machine learning to tailor the intervention to individuals (afterall each of us has different way to cope with stress) but the beauty of our system is that each individual model (and the data) belongs to the user: no big brother here!
Most companies don’t enact punitive measures for failing phishing scenarios. I’m in agreement with this philosophy. However, I’ve also heard a great argument from a colleague.
His argument was…”we perform phishing scenarios each month. If a user continuously fails them and we don’t fire them, we could be held liable if a civil suit is brought against us for a breach because we knew that particular employee failed regularly and we took no corrective action with them.”
“no corrective action”?
Legally, training is corrective action. Even with multiple failures, there is no legal threshold for how many times a person can fail.
Sure, someone can always sue for a breach… but the problem wouldn’t really be solely on the employee who fell for phishing… but rather the lack of other security controls.
If the security posture is so fragile as to be undone by a single phish… then a whole lot of other security best practices are missing.
“Should Failing Phish Tests Be a Fireable Offense?”
This is a little too broad a question. Should an employee *only* be fired for failing a phishing sim or test? In general no, for all the reasons given above by others, plus one more: You’d be actively “attacking” your own employees, putting them in positions to fail. That’s not what a good infosec program should be about. It should be about putting these folks in a position to *succeed*.
That said, is there a point where repeated failures go beyond infosec into being a legitimate HR problem? That’s a whole other issue. Is one person so anti-phishing-tests that they identify these things properly in order to screw with the org and purposefully fail them? If so, that’s more an HR issue than it is infosec. Is one person just so utterly clueless that no amount of instruction helps? Perhaps that person simply needs to be “that one” who gets their assets managed more closely (if this is even possible. Not every org has the ability to flag individuals or set warnings for non-baseline activity for their users unfortunately). Is one person only failing at a slightly higher rate, but has more responsibility in the company? Some of these sound like edge cases, and they are in small orgs, but they may be more common in larger ones. And they’re the sort of consideration that needs to be taken when answering the question of punishment (or not) for failing phishing tests.
One size does not fit all. Staff responsibilities differ, so therefore the consequences of being easily phishable does. Someone who’s a complete sucker but doesn’t control anything important is less of a risk (never a zero risk, but a smaller one) than someone with large responsibilities. Maybe for the first, no admin privileges, frequent password changes, and many activity flags for that person in your SIEM, or some other higher level of monitoring in whatever environment you’ve got. But for the second, possibly establishing different procedures works (i.e.e CEO: “I will **never** ask you to buy $2000 worth of iTunes gift cards via email. Any monetary request will always need phone confirmation.”). Again: It depends. It’s far too glib to ask “Should this be a fireable offense”. The better question is: When does failing this go beyond infosec into staff performance? It can’t be answered at just the infosec level.
Firing someone for failing a phishing test, even repeatedly? No, but you do have to address the problem. Perhaps as simply as blocking external email – we have a number of roles that don’t require external email. Content filters can block access to web mail sites.
Firing someone for a major breach due to phishing? Maybe. If they bypassed controls – Definitely. If there weren’t adequate controls, blame needs to be placed on the senior manager responsible for defining and monitoring the controls.
In the real world, i.e. Evolution, if you fall for the predator’s camouflage, you help your species thrive by removing yourself from the gene pool. If your fellow herd-members see you being taken down, that has a tendency to raise their awareness. If not then they follow the same evolutionary path…
Social Darwinism aside… the “real world” isn’t so cut and dry. Deterrence isn’t universally successful, and fades over time.
Have their been any studies done on the psychology of people who repeatedly, not to say compulsively, click on unknown links? How can ontrolling an index finger on a mouse be very difficult?
Not sure about studies… but it seems obvious.
More and more of regular business is done through email and websites.
I’d imagine employees today need to click their mouse buttons 10,000 times more than only just 10 years ago.
Phishing training is nice, but it is fighting in direct conflict with the every day training of users to click this or that just to get work done.
Thanks. I have no experience/reality from that world. That info makes the situation more understandable.
If people are so clueless as to keep falling for these tests the company is better off without them !
The one point I do not see being discussed is what happens when an employee gets so scared they will miss one that they begin to question almost every message and then out IT department is deluged with reports.
On an average day we get several hundred reports .. each one has to be investigated or my job is on the line.
Making employees worried about losing there jobs to me is a bigger problem than a phishing email getting by as if we as professionals do not have a disaster recovery plan then we have failed.
Heck, I’ll purposely fail our test phishing emails just to see what the fail response page looks like.
Brian, excellent and timely article, as always. Ironically, I just posted the article below on LinkedIn yesterday, that we need to stop the user-blaming. I guess I’m on the other end of the spectrum. I would love to see the investment in security and the security audit of the company in question. https://www.linkedin.com/pulse/its-time-stop-user-blaming-larry-keating
Larry
We fired an employee for failing multiple tests and then some.
The user failed multiple tests, received two in-person trainings of which one the manager had to sit thorugh as well. After all that training, the user received a live phish and wound up changing the CEOs direct deposit information in ADP.
In our situation, HR and other execs felt that enough was enough. The employee had to be let go.
Blame the system not the user. You need better security controls. One individual shouldn’t have the ability to modify a user’s direct deposit information by themselves. There should be a separation of duties for this task, i.e. one individual submits the change and another user processes it. Same thing goes for processing wire transfers, one individual shouldn’t have the ability to do both.
My company receives phishing emails asking for our direct deposit modification form weekly. We have controls in place to prevent the phisher from being successful.
Exactly…
Phishing may be the initial vector… but phishing isn’t the actual root cause in these situations. The actual vulnerability is process control, not email.
For banks, email should not be allowed to request wires anymore. The systems involved should handle the request from start to finish.
Same for HR actions. HR systems are supposed to enforce the initial request come from the logged in employee, and then go through an approval process.
This isn’t phishing training that educates here… but rather the training for that job position.
What you describe actually goes beyond just phishing.
That is actually getting the user to go beyond simply clicks, opening attachments or going to a website…. but full on fraud in getting money to change.
Anyone who can initiate a wire transfer, change payroll or benefits,… needs to be behind an approval system that double/triple checks the action. And those high risk personnel are VERY different from the general population of users… and need to be given special training. Not phishing training which is more about the email.. but actual fraud training that is more about process control.
Punitive measures fit nicely into the classic arrogant IT/Security narrative of “stupid users are the problem.” Unfortunately for Nick, SNL’s “Your Company’s Computer Guy,” the facts differ: we see phishing emails generated by pretty much every phishing kit, and many are good enough to be convincing for even trained users.
The idea that you train your users to identify phishing emails is, frankly, obsolete: to create a perfect-looking DocuSign email, all an attacker has to do is take a real DocuSign email and “Save As HTML…” So the idea that human recipients can discern these forgeries from the real thing is just nonsense.
The solution is machine learning models that can “see” email much like a human recipient, combined with precomputed knowledge of which domains are legitimate senders for particular brands or individuals. This isn’t theoretical: we’re protecting tens of thousands of mailboxes with this tech. https://inky.com
My boss failed so many of these he was one step away from losing all access to external email. Result? Not wanting to end up being his email secretary, I instead would forward every false phishing email to him the moment I saw it with DO NOT CLICK ON THIS EMAIL so that he could ‘successfully’ identify the training emails. I’m not sure anybody learned anything from the exercise.
There’s a fair amount of research on this, with positive reinforcement and gamification beating out punitive approaches. Either way, knowing which users are prone to click (and which get interesting attacks), is an underrated part of security analytics.
https://www.proofpoint.com/us/security-awareness/post/learning-science-and-security-awareness-training-connection-key
Y’all aren’t seeing the potential here: “Sorry, Bob, I didn’t respond to your request because I thought it was a phishing email!”
No, seriously, this is stupid. There are lots of valid reasons to fire someone; falling for something that many many VERY smart people have fallen for shouldn’t be one of them.
This brings back memories. When I worked for a large bank that will remain nameless (except that it has thousands of employees in the Wilmington, DE area), I remember failing one phishing email test. I asked my manager, who told me that there were consequences for failing those tests but not to worry about it for now. That was last year.
Failing such a vague test shouldn’t be a fireable offense. Then again, many banks foster a paranoid, hypercontrolling culture where you’re either with the program and put up with the stress or you look elsewhere for job satisfaction.
Industrial psychology data shows clearly that negative reinforcement may work in the immediate term, but quickly fails. Wouldn’t it make more sense to use these tests to screen out applicants for certain positions who have a propensity for not being able to modify their behavior? If someone cannot adapt in a reasonably designed construct, then they should never have been in that position to begin with…that is a management failure
Let’s face it, this is more than a behavioral problem, some folks are not able to adjust their core beliefs to reality…hence the success of gambling, lotteries, and multi-level marketing pyramid schemes. Some have self-identities that require a core belief in implicit trust, or that big windfall is just around the corner, or that they are victimized by effort and complexity. Once allowed access, the focus should be how to constantly remind folks that the game is always changing and that they have skin in the game. Perhaps, more game theory applied to populating the workplace with the right players.
Kind of hard not to protect the company from negligence. But testing may not be as targeted and well composed as a real attack. And attacks will improve and eventually succeed. I think it is best to test and retrain differently in case that trainjng/trainer is misunderstood. Repeated failures should lead to a one on one review. How can we address it together with the employee. If they know you care, they should be more forthcoming. And you want that if something gets through. If really they feel it is not their role. Then it is likely the same on other subjects and may require a HR review as a last resort.
In too many cases, companies do fire-hose training: they require employees to sit through CBT or even live classroom training and then go back to their jobs and hopefully remember what they just (maybe) learned. Supplement it with a few posters and they think it’s enough.
It’s not — but threatening employees with losing their jobs is hardly a “motivator” to do better. (And as others have already pointed out, who wants to work in that kind of punitive environment?)
OTOH, there are some companies whose corporate communications groups, working together with IT, have developed innovative, ongoing campaigns that keep employees’ awareness top-of-mind. They use humor and creative marketing techniques and have found that employees’ cyber awareness and retention is notably higher than with “basic training” alone.
There’s no one “perfect” way, but this one seems to be more effective as a long-term approach.