I can't dismiss for this?

[Patchoomi]

A month ago our work systems were hacked. No data breaches but man hour costs to rectify it.

The security team identified Dave, not the real name, had clicked on a link in an email. They asked me to start disciplinary procedures for dismissal. Dave doesn't know this.

Our IT rules are standard, don't watch naighty films, don't be illegal, don't download harmful data.

Dave has worked for the company for about 7 years. He's hardworking and honest. It is not rare for our work to click emails. I really believe it was an accident and that if he knew, he would have told the managers and been upset. I don't like Dave but he is good at his job and honest.

I don't know that he breached the IT policy because I don't think he did it on purpose or through neglect. I think too that if we dismiss him it will stop others being honest when they make mistakes.

Work know Dave is dating my best friend so I will refuse to do the process and ask someone else must do it even though I am his manager. I don't know how I can help him.

Or do you think my company are being reasonable and sensible because even if it was a mistake it still made big problems?

As Dave has worked for more then two years they want to be very careful not to miss anything. Surely he needs to have an investigation to state his side of the story before he gets dismissed? As he would need to see evidence etc?

🤦‍♀️🤦‍♀️🤦‍♀️

An old workplace of mine did a cyber security week where they sent out loads of reminders/training about not clicking on dodgy links etc. Early the following week they sent an email which looked a bit odd and asked you to click on a link... then got throughly pissed off when everyone either ignored it, queried it or reported it to IT (it was genuine). If you're going to tell people not to click on dodgy looking links don't then send them 🤦‍♀️🤦‍♀️

there must be more too this surely?
at our place they run monthly phishing exercises and without fail about 3-5% of staff click on the link they weren’t supposed to. We don’t sack all of them!

Not unless they want a nice little employment tribunal case and to have to fork out a huge pay out...

Also you are missing an important point: the company IT system should have effective anti-virus software in place that would have quarantined the email in the first place.

So the IT team and the IT system has also failed in this instance.

The staff member will be easily able to argue at the tribunal that if the company IT system whose job it is to protect the company did not even spot and stop the email, why should he be blame for accidentally clicking on the email he had received thinking it was legitimate?

I would say your ''security team'' are the issue here not that poor guy they are trying to blame.

Your company is on incredibly shaky ground here for all sorts of reasons.

You can't dismiss an otherwise reliable employee over 1 mistake without a full and proper investigation, and it's insane to consider accidentally clicking on a link as gross misconduct. That label usually covers things like theft, physical violence or serious and sustained insubordination.

I don't know why but he has found out he pressed the link and my friend says he will resign on Tuesday. I said he should wait but she said he said he is a looser and does not deserve to work at company. It is not true. He says he does not know how he pressed the link and I believe him. I think he is embarrassed and shamed and didn't want to speak to me.

I do not think he knows about the disciplinary or plans to dismiss but I could not ask.

It is hard being his manager and friends with his girlfirend. It is hard to know when I must be a friend and when I must be boss.😔 I have to be very careful.

I am sorry I was not clear. HR said that I should start a disciplinary process but it was gross misconduct and would result in dismissal and the process was for formality. I am sorry I was not clear.

After the previous advise I spoke with ACAS and printed documents to give to HR who said they are going to look onto it. They laughed at me. I asked what was happening to the people in the security team who let the email through and they said they did not think that was relevant and could not discuss it. I said that if it was only Dave punished that he could say it was unfair and take legal action. She said security was automated and scammers change all the time so it was inreasonable to expect security to know everything all the time. She said that Dave had training and knowingly cicked the link. I asked what investigation was being done in security or if they had just accepted it. She said nothing but wrote lots of things down. I said I wanted another discussion with them on Monday. They have not arranged anything so I will make myself a nuisance and show that I will not go away.

I spoke with my manager today who will also speak with HR to investigate.

I don't know if it is best that Dave does resign because he feels bad or whether I try to make him stay and try to make the process fair but then if it goes wrong he might be dismissed and that is worse.

Has anyone asked Dave for his version of events? At best he needs training about IT use, possibly organisation wide, to reiterate it. You should not be involved though die to potential conflict of interest.

If the security team aren't supposed to have spotted it why should Dave have? Presumably they had much more intense training than his annual 20 minute multiple choice quiz

I have said I will not be involved with the investigation because he is dating my best friend for 3 or 4 yrs. Work already know that because we told them in writing as soon as we realised. I have been told I must as I am his manager but I will not. I don't know who has decided I must do it. But he is also my staff and I should protect my staff and not just let things happen to them.

I must make sure the investigation is fair but will not do ot myself. I can't tell Dave tips.