There is a fascinating article in SC Magazine dated July 3, 2013 which tells the story of Atlantic Media Chief Technology Officer Tom Cochran, who blasted out a simulated phishing email to all 450 email addresses in the company directory. The results, he said, should be something of a wake-up call. The link directed employees to a website that revealed the scam, Cochran told SCMagazine.com, and the roughly 120 employees who clicked it were likely surprised to see it was a con.
That falls exactly in the 20-30% of employees we find to be Phish-prone and click on our initial Phishing Security Test before we train them.
Cochran, who worked nearly two years in the White House as director of new media technologies, said he sees a growing trend in business where functionality, convenience and cost often takes precedence over security.
“You're only as strong as your worst offender,” Schneier told SCMagazine.com this week, explaining that it only takes one reckless employee opening a malicious email to put an office network at risk. “I really would rather see investment in systems that take user mistakes out of the loop. Make it so users can't destroy security. For example, any anti-virus that makes it so the user can't click a link will help.”
What Schneier does not seem to realize is that cybercrime now produces 200,000 new malware versions on an industrial scale each and every day, and that antivirus is not able to keep up any more. It is absolutely necessary each employee from the Board on down to the mail room gets security awareness training, and be continually tested afterward.
