While some who received the email come-on fell for it, the majority did not; however, more fell short in other aspects of policy compliance.
Determined not to fall victim to another network breach, the U.S. Postal Service is phishing its own employees, testing their ability to recognize a scam before it’s too late and their knowledge of the proper procedures to be followed.
The Postal Service suffered from a massive breach last year that exposed the personal information on more than 800,000 current and former employees. Instead of storming the firewalls, the attackers used targeted spear-phishing emails to gain access to the networks, enabling them to get in and exfiltrate information without much difficulty.
As the agency works on strengthening its internal policies, the inspector general’s office conducted a sting operation on 3,125 postal employees. The results were in part promising, however the vast majority of those tested failed to comply with Postal Service policies, particularly when it came to reporting requirements.
The (sorta) good news
Only 25 percent of those tested (789 employees) clicked on the “malicious” link in the phishing email. While this number seems high — and is much higher than any IG or CISO would like to see — a comprehensive study by Cisco in 2011 showed 50 percent of users who open spear-phishing emails click on the links within.
While users are becoming more aware of the tactics being used by bad actors, those same actors are also becoming dramatically more sophisticated in their strategies, particularly when it comes to spear-phishing and social engineering.
Twenty-five percent isn’t really good news but it could have been much, much worse.
Little-to-no policy compliance
The more troubling statistics from the IG’s review show a lack of compliance with the Postal Service’s internal policies and a lack of training among employees.
An overwhelming 93 percent (2,916 employees) of those tested failed to report the suspicious email to the Computer Incident Response Team, a violation of the Postal Service’s cybersecurity policy. However, 96 percent (2,986) wouldn’t have been aware of that policy since they had not completed the agency’s annual information security training.
Lack of training proved to be the primary point of failure, according to the IG, as 750 of the 789 employees to click through (95 percent) had not completed the annual training.
“When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats,” the IG wrote. “A recent study revealed that user awareness training effectively changes behavior and reduces security-related risks by up to 70 percent.”
The lack of training was not the employees’ fault, the IG stated, as the Corporate Information Security Office did not include phishing identification and response in its training courses until recently.
The regimen now includes phishing, however Postal Service policy still fails to require all employees with network access to attend annual training sessions. Instead, only new hires and members of the CIO’s office are required to take annual training.
Postal Service management disagreed that the high rate of failure to report represented failure as a whole.
Managers pointed to the 7 percent that did report the suspicious email, noting that security officers received more than 100 reports within the first hour.
They did, however, agree with the intent of the IG’s findings and vowed to implement new training policies by April 2016.