Recipients got an email that looked as though it were from the cyber security office. They were told to check the security of their password by clicking on a link to a Web site. From there, they were asked to put in their password. If they did so, they essentially were told "gotcha."
Three-quarters of the recipients opened the e-mail. Seventeen percent followed the link. And 15 percent attempted to type on the fake password form. Ouch. There was no finger pointing at, nor punishment of, that last group. But they were directed to a tutorial on how not to be so forehead-slapping gullible as to type in their password by e-mail request (the solution described diplomatically as how to be more "aware" and "prepared.")
Two months later, the same set of employees received an e-mail with the subject line, "Internet Connection Problems." Again, 75 percent of recipients opened the fake e-mail and 14 percent followed the link. But only 8 percent attempted to hand over their password, a nearly 50 percent reduction. Nice improvement. But as cyber officials know, systems are only as good as their weakest link.
Will Pelgrin, the director of the cyber office gave employees a thumbs up for learning from the previous time. But he knows sporadic exercises are not good enough. The state wants to institutionalize the exercise. This year, it is launching a computer-based training model that will automate different phishing scenarios and test how well people adhere to government e-mail policy. "Repetition is the best way to teach," Pelgrin says. "Then it becomes second nature."
It's good that people will learn how to detect an illegitimate email without welcoming a virus into state government systems, or draining their bank accounts, activities known in real life as, "learning the hard way."
In August, GOVERNING will publish a feature story on Will Pelgrin and New York's cyber security operations. We'll cover what the state is doing to help its government, and those around the world, from much more major "gotchas."
