Installing technology is simple, says Jeff Wagner, associate CIO for enterprise infrastructure services and acting CISO at the Office of Personnel Management. OPM’s 2015 data breach resulted in the exposure of personal information for 21.5 million people.
“I can install anything to be as forceful as I want, but the education of the users is the more important piece,” he says. “If I just tried to throw technology at them, and they’re not involved, I’m going to get a lot more issues.”
The Department of Homeland Security conducted anti-phishing training at OPM in 2016, and employees responded. In the first test, 12 percent of employees clicked on the link; five months later, only 1 percent did, according to an August 2017 GAO report.
Agencies Get More Options to Combat Phishing
Vendors have responded to this demand for tools that educate and empower end users. Symantec offers its own tool, called Phishing Readiness, which allows organizations to assess employees’ responses to simulated phishing attempts and follow up with video-based training modules. Sophos offers a similar product, called Phish Threat.
Both companies are among the preapproved vendors on GSA’s IT Schedule 70, which means companies can receive products from them more quickly.
In July, DHS announced new anti-phishing features on the Mobile Endpoint Security platform by Lookout, which it partners with; last year, the agency purchased 2,500 licenses. In addition to detecting phishing attempts in SMS messages, the platform detects and prevents attacks hiding inside mobile apps, social media messages and corporate or personal email, and alerts users in real time if the connection is exposed to malicious apps or websites.
Robert Westervelt, a research director within IDC’s Security Products group, says that training on recognizing and responding to phishing attacks should be part of a broader cybersecurity strategy — one that helps employees increase their personal cybersecurity.
“It’s not about the phishing training itself,” he says. “It’s about combining it with a sustained end-user training campaign, something that fosters a culture of security.”
People are the biggest part of any anti-phishing effort, says Kevin Cooke Jr., principal deputy CIO for the Department of Housing and Urban Development. “We also remind people they need to think about these things in their personal life,” he says. “We have a lot of financial and personal data to protect, and the biggest part is making sure that employees feel invested in that.”
GAO, State Department Test Employees with Phishing Campaigns
The GAO “phishes” its own employees on a rolling basis, targeting its approximately 3,000 users with three different scenarios (one each for three separate thousand-user groups) during a cycle.
“It takes about six weeks to get through everybody,” says Sadnavitch. “We’ll have a week gap, and then we start all over again with new scenarios. We don’t stop.”
Sadnavitch and his team receive detailed reports from the Cofense tool about the number of users who opened the faux-phishing email, how many clicked on a link within the message, how many reported the email to IT and how much time employees spend on training modules.
The agency has used ploys such as telling employees that they’ve won a free cup of coffee to trick them into clicking.
“The most significant thing that’s happened is, when we’re getting real phishing attempts in, we have a lot more people doing the reporting,” Sadnavitch says. “I truly believe it’s working.”