Jan08

Phishing your own users?

by Michael Farnum on January 8th, 2007 at 11:12 am
Posted In: Security

I found this post by Terry Sweeney, Editor in Chief, over at Dark Reading.  He is discussing whether or not you should send out fake phishing emails to your own users to find weaknesses in your security awareness training and anti-phishing methods (he is specifically talking about Core Systems’ product).  

Here’s a quote:

What the vendor doesn’t say is what you do once you’ve ensnared such users in your phishing net. Do you hoist them upside down like fresh caught marlin, then get your dockside souvenir photo snapped? Maybe feature the phished users in the company newsletter? Issue them a warning or something more draconian?

First off, security awareness testing has to be done.  How else can you figure out whether or not it is working?  And Mr. Sweeney, the argument of, “You cannot manage what you cannot measure” is still valid, no matter if you attempt to head it off by putting it in your blog post and sneering at it.

Second, as I said in my latest CW post, any security manager worth his salt is not going to use security awareness testing to incriminate users (unless the results uncover behavior that is unlawful or purposefully going against company policy).  It is simply there to test effectiveness of the training.  Employees should be coddled to some degree while this testing is going on (meaning, you should be there to hold there hand when they screw up during testing – you shouldn’t warn them ahead of time).

Third, what the security manager does with the product is not Core System’s concern.  I know that can be taken to the nth degree (hacking tools, etc.), but Core System’s is provinding a commercial product that has a legitmate purpose.  It is not there fault if ABC, Inc. uses it to fire all their stupid users.

Vet