The Phishing Catch
When's the last time you've gone phishing at the office? New York State did an exercise in 2005, sending a fake email to 10,000 state employees in five agencies. The "scam" perpetrated by security officials, was a spot check on employee e-mail behavior.
When's the last time you've gone phishing at the office? New York State did an exercise in 2005, sending a fake email to 10,000 state employees in five agencies. The "scam," perpetrated by security officials, was a spot check on employee e-mail behavior. And it was a test of how well the Office of Cyber Security & Critical Infrastructure Coordination was getting its cyber security message across to employees about what turns up in their inboxes.
Recipients got an email that looked as though it were from the cyber security office. They were told to check the security of their password by clicking on a link to a Web site. From there, they were asked to put in their password. If they did so, they essentially were told "gotcha."
Three-quarters of the recipients opened the e-mail. Seventeen percent followed the link. And 15 percent attempted to type on the fake password form. Ouch. There was no finger pointing at, nor punishment of, that last group. But they were directed to a tutorial on how not to be so forehead-slapping gullible as to type in their password by e-mail request (the solution described diplomatically as how to be more "aware" and "prepared.")
Two months later, the same set of employees received an e-mail with the subject line, "Internet Connection Problems." Again, 75 percent of recipients opened the fake e-mail and 14 percent followed the link. But only 8 percent attempted to hand over their password, a nearly 50 percent reduction. Nice improvement. But as cyber officials know, systems are only as good as their weakest link.
Will Pelgrin, the director of the cyber office gave employees a thumbs up for learning from the previous time. But he knows sporadic exercises are not good enough. The state wants to institutionalize the exercise. This year, it is launching a computer-based training model that will automate different phishing scenarios and test how well people adhere to government e-mail policy. "Repetition is the best way to teach," Pelgrin says. "Then it becomes second nature."
It's good that people will learn how to detect an illegitimate email without welcoming a virus into state government systems, or draining their bank accounts, activities known in real life as, "learning the hard way."
In August, GOVERNING will publish a feature story on Will Pelgrin and New York's cyber security operations. We'll cover what the state is doing to help its government, and those around the world, from much more major "gotchas."
We invite you to discuss and comment on this article using social media.
How Trump's Health Budget Would Impact States11 hours ago
Kevyn Orr on the New Orleans Mayor: 'I Have Rarely, If Ever, Heard a White Guy Speak With Such Passion' About Race12 hours ago
New Study Identifies the Best Cities for Good Government12 hours ago
CBO: House Bill Would Leave 23 Million More Uninsured and Destabilize the Market in Some States15 hours ago
Marijuana Legalization Vetoed, But Vermont Governor Signals a Future Deal15 hours ago
How States Are Trying to Root Out Welfare Fraud15 hours ago