I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
That’s not new information though. All they’ve done is teach users that their security team is more of an enemy than a friend.
Seriously: what action are they going to take as a result of this that they shouldn’t have already been doing? They could just as easily have assumed, entirely correctly, that users will fall for phishing messages. Don’t need an excercise, to say nothing of a mean one, to learn that.
Well, exercises like this aren’t just about gathering info, they are IT training too. If one of the people who fell for it gets another email promising a day off for clicking a link, they should now think twice. Hopefully they start checking all links before clicking them.
I understand they are overworked and the day off was enticing, but who doesn’t view every email with distrust and suspicion these days? Yeah, it sucks, but that’s the reality we are in.
Sure, but that’s ignoring the cost of “now your users don’t trust the security team”.
For most things like phishing there’s only so much training you can put on a user. Humans are pretty okay at understanding the costs associated with their time in an implicit manner. Users will check well enough to meet their internal cost metric: the cost to them if they get phished isn’t high, and the likelihood is low. That’s why it’s such a problem in workplaces.
The solution isn’t to keep beating the user over the head. First, it can undermine other important parts of the relationship between users and security as I mentioned, and it can , if done in the extreme, normalize phishing emails. The real Phish comes in and sits unreported next to the fake ones. Security never gets to run a scan and remove the message from every mailbox, increasing the exposure.
The better approach is to prevent users from being in control of their own vulnerability. Don’t let them enter their credentials into the nono box.
They might not trust the security team to be their friend, they have no reason not to trust them as a coworker doing their assigned job.
They may perceive the personal cost as being low, but that is the real issue. If digital security is breached because of their actions, when a small amount of due diligence can easily prevent it, they are responsible. Losing your job because ransomware you let in took out your employer’s computer system is a pretty big personal cost. May make it hard to get hired somewhere else too.
Locking down work computers further and further until users can’t possibly do anything damaging also makes doing work on those computers slower and more frustrating. It’s cost me many many hours, because coworkers can’t take 2 seconds to think critically.
Yeah, you’re right. Passkeys, sso and password managers make it impossible to get any work done. It’s much better to keep doing the same things that haven’t been working for decades. Don’t forget to make everyone rotate their password every month!
What’s your simple due diligence to prevent phishing? You check the links you click, verify the URL you ended up at is what you expect, validate no unexpected unicode swaps in the domain, pop back to the email and check the sender is known and trusted, look at the headers and validate the routing chain, then double check the sender spf and dkim records are on the up and up? Oh, and make sure the actual content that you landed on is from the website and not a hijacked subdomain.
That’s the specific area where they don’t. We’re discussing a specific situation where the security team is taking it upon themselves as their job duty to trick you and get you in trouble. That makes people hesitate to share security concerns because “those guys are pricks and will make this all my fault”.
It’s a hospital. They’re already short on nurses and administration staff. Those people directly provide patient care or manage operations. Security does not. Securities job is to maintain security standards compliance and maybe keep patient data safe. It is not to exacerbate a staffing issue or let the network go down because you thought it was too much hassle to do your job and properly secure a fucking managed laptop. Security is, rightly, going to be blamed when a user gets the network infected. Particularly when your idea of training is to offer them PTO and then call them an idiot when they want it.
The person making the decision on who to blame is a lot more like that poor nurse than they are like security.