Will you be fired for clicking on the wrong email?
It's very much possible at some point in the near future, opening an attachment or clicking on a link in a phishing email will get you terminated. Everyone is now responsible for security at the organization they work for. I think that is something we can all agree on, even if there are still those colleagues who don't give it a second thought. Security awareness training has been part of most organization's security program to help employees detect and report security incidents, however, only recently has the human factor played such a direct role in incidents and breaches of data.
Social engineering is nothing new but a well crafted phishing
email, based on current events and information about the target, for the purpose of having the person click on a link or open an attachment, has become
very prevalent over the past few years.
As more and more companies and government agencies are infiltrated by
attackers gaining a foot hold via those well crafted phishing emails, they're
finding out their awareness programs are not effective or people just aren't
caring enough to be vigilant in their daily activities about these types of
attacks.
This week Paul Beckman, CISO of the Department
of Homeland Security, discussed how federal employees
with security clearance are failing email phishing tests “that look blatantly
to be coming from outside of DHS.”
Beckman noted that those who fall for the emails, and in instances have
entered their credentials after following the links, are required to take
additional security training. Beckman
made headlines with his proposal to revoke the security clearance of repeat
offenders stating those employees “have clearly demonstrated that you are not
responsible enough to responsibly handle that information.”
Beckman has said what many heads of
Information Security departments have been thinking for a long time, and like a
concerned parent, is wondering how much punishment needs to be dished out to
change the behavior of their colleagues.
If Beckman revokes security clearance, will those employees still be
able to perform their job responsibilities?
Maybe not if the job required the clearance in the first place. The next logical step is a demotion to a
position which doesn't require the clearance or termination of the employee all
together.
Email phishing tests have been around for a while but this
may be the tip of the iceberg for human security tests. A new tool, AVA,
created by Laura Bell, CEO of SafeStack, performs
social engineering tests meant to utilize as much information about the target
as possible. This includes trawling
social media and connecting to internal systems to learn about thing like reporting lines. It will use this information, for example, to send text messages which look like they're from
your boss, to execute a task outside of standard approval controls. If you got a frantic text from your boss,
would you send that wire transfer or execute a production change? Those are some of the more psychological and
situational tests AVA can execute to test an organization's human risk.
Is this the future, vulnerability scanners for people? Should this be required for government
employees with security clearance or employees in your organization with access
to your critical assets and information? What can be done to make security awareness stick?
These are the questions being asked to find ways to reduce the risk. I’m a proponent of testing those with security
clearance or access to critical data because that responsibility comes with the
job and must be upheld every day. However,
this may cause long term effects such as stressed out employees worried about
real and test spear phishing attempts or a reduction in staff because of failed
tests.
I don’t know if this behavior can be changed through training and
consequences of demotion and termination or if we will ever be able to truly
manage the human risk completely from well crafted phishing and human
psychology. One thing is for certain
though, we are the weakest link and the ones carrying out the attacks know it.
Photo by Matthias Ripp / CC BY
0 comments: