I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
I don’t think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
I have to disagree with the premise that security testing should be a “feel-good” exercise. In a healthcare setting, the security team operates as an internal auditor. Their job isn’t to be liked; it is to protect patient lives from catastrophic ransomware attacks that shut down life-saving systems.
To do that effectively, they have an obligation to run real-world simulations. Actual threat actors don’t care about hospital morale or their exploitation under capitalism and they will exploit those exact pressure points to gain credentials. What this test revealed isn’t just that the staff are tired, but that a highly enticing lure easily bypasses their current social controls. Because of this test, the security team now knows they must rely heavier on technical controls (like hardware keys or stricter zero-trust policies) to compensate which is actionable. Being mad at the security team for exposing a fatal vulnerability is shooting the messenger.
My entire point is that none of that is actually new information. Every piece of research by anyone has always indicated that the human element is the weakest part of the security system. If you’re asking if you can trust a user to reliably do something, you can safely say “no” and make contingencies for when they don’t.
If they have technical solutions available, they didn’t need to run a drill to know that they should use them.
It’s not about being “liked”. It’s about effectively enforcing a security posture. An adversarial relationship does more to undermine that then providing guidance on how to do it better.
They have no obligation at all to “run scenarios” where they could just implement the fix to the problem.
They exposed a fatal vulnerability in the same way stabbing someone exposed a problem: it’s been demonstrated, but it’s not new information.
This type of excercise is about producing numbers that look good on a spreadsheet. You do a phishing drill, people fail and then you run a training. A few weeks later you do it again and since people still have the previous drill lingering they remember, and you send a softball phish. Line go up and to the right. Looks good in report.