I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
Sure, but here’s the critical thing: the security team isn’t a threat actor, they’re coworkers. Their job isn’t to steal data but to protect it and get coworkers to better protect it.
Doing stuff like this doesn’t advance that goal, and actually hinders it. Now a bunch of people think the security team is full of assholes and the lesson taught is “the security team will trick you, get you in trouble and also good things never happen here”.
They now know that they could face a breach from an enticing phishing email, which isn’t actionable. What do you do with that information that you shouldn’t have already been doing?
The cost is that now when someone does something like actually fall for a phishing attempt they have less reason to trust that security is on their side, and more reason to brush it off and try to obscure it to avoid getting in trouble with security.
A better way to train users is to use rewards. Tell them you’re running a phishing campaign and properly reporting it gets a chance at a gift card or prize. Then tell them you’re going to keep doing it, and that legitimate phishing reports also get a chance.
It costs you $100 a month, no one is mad at security and it’s easier for users to see it’s an excercise rather than an attack.
I have to disagree with the premise that security testing should be a “feel-good” exercise. In a healthcare setting, the security team operates as an internal auditor. Their job isn’t to be liked; it is to protect patient lives from catastrophic ransomware attacks that shut down life-saving systems.
To do that effectively, they have an obligation to run real-world simulations. Actual threat actors don’t care about hospital morale or their exploitation under capitalism and they will exploit those exact pressure points to gain credentials. What this test revealed isn’t just that the staff are tired, but that a highly enticing lure easily bypasses their current social controls. Because of this test, the security team now knows they must rely heavier on technical controls (like hardware keys or stricter zero-trust policies) to compensate which is actionable. Being mad at the security team for exposing a fatal vulnerability is shooting the messenger.
My entire point is that none of that is actually new information. Every piece of research by anyone has always indicated that the human element is the weakest part of the security system. If you’re asking if you can trust a user to reliably do something, you can safely say “no” and make contingencies for when they don’t.
If they have technical solutions available, they didn’t need to run a drill to know that they should use them.
It’s not about being “liked”. It’s about effectively enforcing a security posture. An adversarial relationship does more to undermine that then providing guidance on how to do it better.
They have no obligation at all to “run scenarios” where they could just implement the fix to the problem.
They exposed a fatal vulnerability in the same way stabbing someone exposed a problem: it’s been demonstrated, but it’s not new information.
This type of excercise is about producing numbers that look good on a spreadsheet. You do a phishing drill, people fail and then you run a training. A few weeks later you do it again and since people still have the previous drill lingering they remember, and you send a softball phish. Line go up and to the right. Looks good in report.