It's very much possible at some point in the near future, opening an attachment or clicking on a link in a phishing email will get you terminated. Everyone is now responsible for security at the organization they work for. I think that is something we can all agree on, even if there are still those colleagues who don't give it a second thought. Security awareness training has been part of most organization's security program to help employees detect and report security incidents, however, only recently has the human factor played such a direct role in incidents and breaches of data.
Social engineering is nothing new but a well crafted phishing email, based on current events and information about the target, for the purpose of having the person click on a link or open an attachment, has become very prevalent over the past few years. As more and more companies and government agencies are infiltrated by attackers gaining a foot hold via those well crafted phishing emails, they're finding out their awareness programs are not effective or people just aren't caring enough to be vigilant in their daily activities about these types of attacks.
This week Paul Beckman, CISO of the Department of Homeland Security, discussed how federal employees with security clearance are failing email phishing tests “that look blatantly to be coming from outside of DHS.” Beckman noted that those who fall for the emails, and in instances have entered their credentials after following the links, are required to take additional security training. Beckman made headlines with his proposal to revoke the security clearance of repeat offenders stating those employees “have clearly demonstrated that you are not responsible enough to responsibly handle that information.”
Beckman has said what many heads of Information Security departments have been thinking for a long time, and like a concerned parent, is wondering how much punishment needs to be dished out to change the behavior of their colleagues. If Beckman revokes security clearance, will those employees still be able to perform their job responsibilities? Maybe not if the job required the clearance in the first place. The next logical step is a demotion to a position which doesn't require the clearance or termination of the employee all together.
Email phishing tests have been around for a while but this may be the tip of the iceberg for human security tests. A new tool, AVA, created by Laura Bell, CEO of SafeStack, performs social engineering tests meant to utilize as much information about the target as possible. This includes trawling social media and connecting to internal systems to learn about thing like reporting lines. It will use this information, for example, to send text messages which look like they're from your boss, to execute a task outside of standard approval controls. If you got a frantic text from your boss, would you send that wire transfer or execute a production change? Those are some of the more psychological and situational tests AVA can execute to test an organization's human risk.
Is this the future, vulnerability scanners for people? Should this be required for government employees with security clearance or employees in your organization with access to your critical assets and information? What can be done to make security awareness stick? These are the questions being asked to find ways to reduce the risk. I’m a proponent of testing those with security clearance or access to critical data because that responsibility comes with the job and must be upheld every day. However, this may cause long term effects such as stressed out employees worried about real and test spear phishing attempts or a reduction in staff because of failed tests.
I don’t know if this behavior can be changed through training and consequences of demotion and termination or if we will ever be able to truly manage the human risk completely from well crafted phishing and human psychology. One thing is for certain though, we are the weakest link and the ones carrying out the attacks know it.
Photo by Matthias Ripp / CC BY