When the CEO asks IT how secure the organization is the answer ranges from ‘As good as the budget you give me’ to ‘Excellent, because we follow best practices.’
The truth is many organizations only really know by doing penetration testing. That’s what the Justice department did in December when it sent email to 5,000 staffers to test their ability to resist clicking on links they’re supposed to be suspicious of.
About 37 per cent (1,850 people) fell for the ploy, according to a Canadian Press story in the Globe and Mail.
This kind of test is a good way of finding out whether corporate training has done its job, whether staff need a refresher – or whether training should start. But the test has to be done by staff — or a security consultant — who know what they’re doing.
For example, in February a U.S. army officer decided on his own to test whether his staff would fall for an email ruse warning of a breach in their federal retirement plan and asking them to log into a (phony) Web page to check their money was safe. What happened was people forwarded the message to friends and created panic.
That’s an example if how not to do it.
The Canadian test was similar — a legitimate looking email, with a link to a legitimate site. What happened next was also a best practice: Two more tests followed, one in February and on in April. Click rates were lower, presumably because there was testing following each test because CP quotes a government official saying this part of an awareness exercise.
And, the story adds, the government has more tests planned of “increasing sophistication” to trick unwary bureaucrats.
The fact is email is — still — one of the easiest ways for attackers to get into enterprises: Busy people click on every message, and a message from a seemingly trusted source that warns there’s a security problem will be paid attention to by a number of people.
“These exercises are very useful,” Jon Olsik, a security analyst at the Enterprise Strategy Group, said in an email. “I’m seeing more enterprise organizations taking similar steps. The 37 per cent (click through in the first test) doesn’t surprise me either, especially if the messages were meant to look official.
“While we can’t expect employees to become security experts, its critically important to educate them on risks and make sure to add cybersecurity awareness programs as well. In general, you want your employees to be part of the solution rather than part of the problem.”
Remind staff through formal training once a year of proper security procedures. And then test their resolve.