You pick up the paper or watch the news and it has become an all too common occurrence. What used to surprise us is now sadly routine – breaches of cyber security. In the early days, these breaches were usually just an annoyance – most simply focused on defacing public facing websites. Plug the vulnerability, re-upload your homepage, and you were back in business. Almost seems quaint, now doesn’t it? Today the stakes are much higher, both from a commercial standpoint and from an international security standpoint as well.
While much of the preventive focus for cyber-security justifiably falls on IT, the role of each and every user is critical as well. From password security, awareness of social engineering threats, and prudent behavior when it comes to attachments and web-browsing, many enterprises are only as strong as their weakest user. One of GuideIT’s managed services customers places significant emphasis on the importance of user awareness in their overall cyber-security program, and recently completed a Phishing exercise I thought worth sharing.
To establish a baseline from which to measure the results of an upcoming training program focused on Phishing, every employee was sent an outside email informing them that their email storage quota had been exceeded, and directing them to click an enclosed link to address the issue. The organization’s Information Security policy dictated that they forward suspicious emails to the GuideIT Service Desk, who would either confirm/deny the authenticity of the email, or open a ticket to the customer’s Security Team for review.
So how’d they do?
· 90 people clicked the link - they failed the test outright.
· 50 people forwarded the note to the Service Desk AFTER clicking on the link, many asking, “Hey the link didn’t work; how can I get more storage??” They also failed the test.
· 40 people forwarded the email to the Service Desk without clicking the link, and identified the email as a potential Phishing attempt – BRAVO!
Obviously no harm came of this exercise. But had the threat been real, the outcome might have been different. The lesson? First it’s worth emphasizing that this particular customer has an active IT Security Program using both internal dedicated IT resources, and the assistance of an outside Security vendor to audit and support their efforts. Yet the majority of people who received the Phishing attempt “took the bait”. With this particular customer, the next time a user fails a Phishing attempt they will be directed to a mandatory online training module to raise their awareness on the risks of Phishing – a great motivator huh?
The lesson to me is that even with strong internal programs to raise cyber awareness, your work is never done. And if you don’t have programs in place like this customer, give serious thought to how your organization would perform if put under the same microscope.
Stay tuned; this customer plans additional testing over the course of the year to gauge the effectiveness of their training efforts. I’ll be sure to provide an update when they do.
Published by: Mark Johnson, Vice President/Business Unit Leader, Commercial, GuideIT