If you fall for a phishing email, should you have your ability to handle sensitive government information revoked?
Data Security Expert: Is Your Job On The Line Opening an Email?
When an associate opens a Phishing email and clicks on a link that has disastrous consequences it is no doubt embarrassing. However, the Chief Information Security Office (CISO) at the Department of Homeland Security (DHS) would like to see significant consequences to such hazardous behavior.
The DHS CISO Paul Beckman has proposed significant consequences up to and including termination for falling for hacking schemes. Currently, Beckman sends fake phishing e-mails to his staff. If the recipient fails to follow protocols and/or falls for the scam they must undergo remedial security training.
Beckman was part of a panel discussion regarding CISO priorities at the Billington Cybersecurity Summit in Washington on Sept. 17. During the panel discussion Beckman said: “These are emails that look blatantly to be coming from outside of DHS — to any security practitioner, they’re blatant. ” he went on to say “But to these general users” — including senior managers and other VIPs — “you’d be surprised at how often I catch these guys.”
In the discussion, Beckman said a small number of employees continue to fall for the fake scams even in the second or third round or phishing tests.
But Beckman wants to put his staff’s job on the line. He would do so by using these security tests and an individual's susceptibility to security threats as part of their performance evaluation. He would also use the test results as a factor in determining whether the individual is competent to handle sensitive data and have a security clearance.
Phishing remains one of the hacker’s simplest and most powerful ways into computer systems. When users click on attachments or links to malicious sites, they are letting the hacker into their computer system. This entry can be limited to a single computer or, more than likely, into the entire network.
According to the recently published Verizon Data Breach Investigation Report, 23 percent of phishing recipients open malicious messages. While this is a horrible statistic, the report says 11 percent open attachments. According to the report, it only takes 82 seconds from when a phishing campaign is launched to when people start swallowing the bait.
Spear Phishing is a more targeted system used to deliver malware or get the recipient to open a link. The sender generally has more information about the email recipient than would the average spammer. This additional information lures the recipient into thinking the email and links contained in the email are legitimate.
When data breaches occur, which leak sensitive information, hackers gather up the information and use it for Spear Phishing campaigns.
Becker has good reason to be concerned about this at the federal level. His personal data along with over 21 million other federal employees, was leaked in the Office of Personnel Management (OPM) data breach which occurred earlier this year.
The data which was breached from the OPM is certainly likely to be used to create spear-phishing attacks against government employees. Some of those employees may have Top Secret or Secret clearances. If they fall for the wrong attack and open the wrong email and/or click on a link, who knows what other data could be leaked.
Training is the most important component in the defense of these cyber attacks. However, when the training doesn’t sink in and the attacked is dealing with sensitive data perhaps stronger measures may need to be taken as Becker suggests.