Ride the Lightning

DHS CISO Wants Consequences for Workers Who Fall for Security Scams

September 29, 2015

Consequences for an employee who is easily fooled? Or should I say phooled? This is the first time I've seen something like this.

SC Magazine posted about a proposal from Paul Beckman, the Chief Information Officer for the Department of Homeland Security. Beckman sends fake phishing e-mails to his staff to see who does not follow protocols and falls for the scam. Anyone who fails must undergo remedial security training.

But Beckman wants to go one step further. Beckman would like to use both tests and an individual's susceptibility to security threats as part of their overall job evaluation process and as a factor in determining whether they are competent to handle sensitive data and have a security clearance.

My first reaction was "You mean they are not doing that already? At DHS?" We cannot suffer fools gladly in these perilous security days. One slip in response to a sophisticated phishing e-mail may not mean much, but someone who demonstrates a propensity for falling for phishing e-mails or other scams should NOT have a security clearance and should not be handling sensitive data. And I think the same principle applies to law firm employees from senior partners to receptionists.

We live in a world where one in eleven phishing e-mails will result in an employee clicking on a malicious link or attachment. We need to correct that through training where possible – and take more serious measure where training isn't sufficient.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson