The Phishing Catch
When's the last time you've gone phishing at the office? New York State did an exercise in 2005, sending a fake email to 10,000 state employees in five agencies. The "scam" perpetrated by security officials, was a spot check on employee e-mail behavior.
When's the last time you've gone phishing at the office? New York State did an exercise in 2005, sending a fake email to 10,000 state employees in five agencies. The "scam," perpetrated by security officials, was a spot check on employee e-mail behavior. And it was a test of how well the Office of Cyber Security & Critical Infrastructure Coordination was getting its cyber security message across to employees about what turns up in their inboxes.
Recipients got an email that looked as though it were from the cyber security office. They were told to check the security of their password by clicking on a link to a Web site. From there, they were asked to put in their password. If they did so, they essentially were told "gotcha."
Three-quarters of the recipients opened the e-mail. Seventeen percent followed the link. And 15 percent attempted to type on the fake password form. Ouch. There was no finger pointing at, nor punishment of, that last group. But they were directed to a tutorial on how not to be so forehead-slapping gullible as to type in their password by e-mail request (the solution described diplomatically as how to be more "aware" and "prepared.")
Two months later, the same set of employees received an e-mail with the subject line, "Internet Connection Problems." Again, 75 percent of recipients opened the fake e-mail and 14 percent followed the link. But only 8 percent attempted to hand over their password, a nearly 50 percent reduction. Nice improvement. But as cyber officials know, systems are only as good as their weakest link.
Will Pelgrin, the director of the cyber office gave employees a thumbs up for learning from the previous time. But he knows sporadic exercises are not good enough. The state wants to institutionalize the exercise. This year, it is launching a computer-based training model that will automate different phishing scenarios and test how well people adhere to government e-mail policy. "Repetition is the best way to teach," Pelgrin says. "Then it becomes second nature."
It's good that people will learn how to detect an illegitimate email without welcoming a virus into state government systems, or draining their bank accounts, activities known in real life as, "learning the hard way."
In August, GOVERNING will publish a feature story on Will Pelgrin and New York's cyber security operations. We'll cover what the state is doing to help its government, and those around the world, from much more major "gotchas."
We invite you to discuss and comment on this article using social media.
DOJ Warning Mobilizes Some Immigrant Sanctuary Cities1 hour ago
Amid Obamacare's Uncertainty, States Extend Deadlines to File 2018 Premium Rates1 hour ago
Matching Ex-Offenders With Hard-to-Fill Health Care Jobs2 hours ago
Florida Senator Who Just Resigned Had Hooters and Playboy Models on His Payroll2 hours ago
He's an Environmentalist, Entrepreneur, Author and Priest. Now He Wants to Add Governor.2 hours ago
Where Confederate Memorial Day Is Still Celebrated Today3 hours ago