I can't dismiss for this?

[Patchoomi]

A month ago our work systems were hacked. No data breaches but man hour costs to rectify it.

The security team identified Dave, not the real name, had clicked on a link in an email. They asked me to start disciplinary procedures for dismissal. Dave doesn't know this.

Our IT rules are standard, don't watch naighty films, don't be illegal, don't download harmful data.

Dave has worked for the company for about 7 years. He's hardworking and honest. It is not rare for our work to click emails. I really believe it was an accident and that if he knew, he would have told the managers and been upset. I don't like Dave but he is good at his job and honest.

I don't know that he breached the IT policy because I don't think he did it on purpose or through neglect. I think too that if we dismiss him it will stop others being honest when they make mistakes.

Work know Dave is dating my best friend so I will refuse to do the process and ask someone else must do it even though I am his manager. I don't know how I can help him.

Or do you think my company are being reasonable and sensible because even if it was a mistake it still made big problems?

My phone will run out of batteries but thank you for answering.

Depends on your definition of what is gross misconduct doesn't it

Context is crucial here. Clicking a phishing link accidentally because it was a spoof of a company email/looked official enough to warrant clicking could only reasonably be argued as gross misconduct if you're a cyber security specialist trained specifically to spot these things. Anyone else, frankly it's the IT team who are responsible for educating and reducing the risk around these events - ours actually run campaigns to "phish" for people who are likely to click on these things so they can attend extra training.

Clicking a link in an email that doesn't belong in a work account full stop, they could claim gross misconduct...for example if the email was about young Bavarian women and a link was clicked there's no professional defence for doing that and an investigation could result in gross misconduct being the outcome.

You can be a good conscientious and diligent worker but still be caught out in the second example because you didn't think for a split second. For what it's worth, I think your company are on shakey ground unless there's literally no defence for not immediately deleting the email received. A predetermined outcome to an investigation has tribunal written all over it.

Hope Dave is a member of a union!

Tell HR to talk to the legal department or get external legal advice, or if you have an internal legal department, copy them yourself. Remind them that their internal emails about the decision to dismiss him before conducting any sort of investigation will be disclosed to Dave's lawyers in any subsequent unfair dismissal claim.

Worth exploring why they want to dismiss him. Possibly someone in HR mistakenly thinks that because breaching IT policies CAN be gross misconduct, that any breach automatically IS gross misconduct and that they have to fire him, eg in case it happens again and the Information Commissioner's Office asks how they dealt with similar instances in the past. If so, they have totally the wrong end of the stick, especially for an innocent mistake by a good employee.

Agree context is relevant here. Surely an investigation is standard? At my work whenever there is an incident there’s an investigation conducted by a manager not in the management chain and independent staff to interview people. This sounds a bit odd that they’ve just asked you to dismiss without an investigation. My advice to Dave would be to contact his union and ACAS

I work for a trade union and from what you have said, I think any TU official or rep worth their salt would tear your HR dept to shreds over this. Totally unreasonable response and likely to be a solid case for unfair dismissal at the ET.

Surely HR know you cant just dismiss without investigating.

I'd be keeping that email for if they force you to dismiss to show that it was decided before the investigation started and accidentally bring it into the appeal. Which you would of course tell your friend to tell him to do.

Personally I'd tell HR they were wrong and you have investigated, have found it an accident and not a breach of policy [I'd quote the policy] and refuse to discipline him. I would suggest though the first item on the next meeting agenda to be the topic of internet safety. It is always better to train rather than to dismiss in situations like this.

I would definitely try to avoid being the one to do any dismissing in these circumstances. I've seen companies tell a manager to dismiss someone as a way of getting rid of the manager because they will then be seen to have made a bad management decision when it turns out that the dismissed person has a good case for constructive dismissal. No investigation and a predetermined decision sounds very dodgy. Are you sure Dave is their actual target?

I does sound like HR have prejudged the outcome. That is a big problem. Additionally, if the error he made was no worse than others i.e. he clicked on a dodgy link then it may be disproportionate to discipline him harshly if the others weren’t for also clicking dodgy links. Also are all policy breaches subject to the same process. So if your disciplinary policy said turning up to work drunk was gross misconduct and clicking a dodgy link was gross misconduct but the drunk person was sent home, lost a day’s pay and got a written warning but the dodgy link clicker got sacked - how would that be justified.

HR really need to get some proper advice and make sure the whole process is fair, transparent, robust and proportionate.

Disproportionate to dismiss him for this if it was innocent clicking of a link as a one off. Surely he can be given a written warning instead?

Does he have a history of misuse of work internet? If not, then it sounds like an easy case for unfair dismissal, since placing access to such links and not blocking them with a robust firewall is putting individual employees at too much risk of making an innocent mistake.

So to clarify

Dave has yearly training that explains not to click links such as these

He has signed a policy saying he has received said training and acknowledging acting outside of this policy would be considered gross misconduct in your business

He still clicked a dodgy link

Erm I'd think your HR team is more up to speed on what's right to do in this situation than you are OP

I would be asking the security team how the email got through in the first place, and why no security warning flagged it as a potential issue.
Emails like this shouldn’t even be in a position to be opened.

no, you can't dismiss him.

but do talk to him.
and have a general information to all staff about scams, phishing and internet use.

it's your IT system fault he was able to (unwittingly) download unsafe software.

I think it depends on what he clicked on? Or what he thought he was clicking on

Links such as what? The OP says they are required to click links in emails as part of their job. He got one wrong. Unless it was really obvious, then it may be difficult to show it was a breach of the policy because there was no intent and if it was a clever fake it might be hard to argue negligence either.
I work in an industry where we get regular phishing simulation emails. So I have seen dozens of dodgy emails over the years and I can tell you that me and my colleagues have all messed up on these simulations from time to time.

HR cannot determine he should be dismissed before the investigation has happened.

On the info given, to move in, having predetermined the result makes it completely void. Every employee has the right to fair and impartial investigation of any accusation relating to their performance. No investigation and consideration of any mitigations ( like unblemished record etc ) will get this laughed at if taken to ET.

It doesn't even matter if there is " more to it" there is still a process they have to follow, and you simply cant " start disciplinary proceedings to dismiss" ...because those proceedings are there to protect the employee from unfair dismissal by way of proper and sound investigations.

. Is he already on suspension or is he still working? Because they also can't start a process with a view to say performance is so poor they have a right to dismiss, whilst letting him carry on until said process is finished!

Sounds like the extra training is required in HR.

Sounds more like it’s a failure on the IT / security side for not mitigating the risks of such event!

Wow, a company that would dismiss a long standing, hard working employee for accidentally clicking on a link. Once.

If Dave is dismissed, I hope he sues the company, wins big time, makes the head of security look really petty, and the company is shown up in public for being a truly dreadful employer.

And then you'll have the added expense of recruiting a replacement, training them up and trying to replace Dave's experience.

Good luck with that one.

Something to consider: did the email look like it was malicious or not. For example if it was from a client you deal with (but they had a virus and their system sent it on); or if the name was someone you deal with then that would also be reasonable to click on it. Was it something that could be related to work (e.g. a document on a technology you use).

If it's from BigKnockers72 and it says "Click here for P0rn" then harder for him to justify. But hopefully you get my thought process.

My work sent out a fake link from the CEO as part of a security test. Well over half of our 2,000 employees clicked it.... including the CEO who forgot he had agreed to it and wondered what it was 🤦🏻‍♀️ It was a 2 line email with a link whereas his normal company-wide correspondence tends to be at least a couple of paragraphs.

@ChazsBrilliantAttitude the op has said they think Hr will go through the process

Which will include an investigation

If you're given training on what not to click on, and click on scam links then yes in many sectors this would be a serious action which would likely lead to dismissal after them disciplinary process is concluded. Banking for one.

I work for a Local Authoritt. One of my colleagues clicked on anattachment in an email which he thought was genuine as it apparently came from someone he knew professionally. In fact, that person's account had been hacked and when my colleague clicked, he inadvertently downloaded malware which then infected the rest of his contacts.

In short, business was disrupted for about a week, loads of us had to have our laptops stripped and rebuilt, and it was a nightmare. Absolutely nothing happened to my colleague as it was a mistake. We did all get a reminder about IT security but that was it.

I work in the City and have done so for decades hence all the phishing simulations! HR can’t say investigate for dismissal. First you determine what has happened, then you assess it against your defined disciplinary standards etc. then you determine a fair and proportionate response.

My post is to @candycaneframe

We only have the OPs poorly written post that says that

It's not written well so one also can assume the op might not have understood or been paraphrasing in the post