Four months ago, employees at the City of Los Angeles began receiving suspicious emails informing them of a package waiting. All they had to do was click the link.
There was no package, and fortunately for the employees who clicked, there was no malicious scammer, either. The emails were a phishing exercise run by the city’s technology department to see who needed to be better educated on the basic tenets of cybersecurity. Though such a practice is fairly common, there are many government offices not doing it, and the results in LA show why maybe they should.
A “substantial” number of people clicked, said Ted Ross, the city’s chief information officer. They instructed those who clicked to watch a 90-second training video, he said, and when they ran the exercise a second time the number was cut in half.
“We know the people who clicked twice,” he said. “And that starts to become a different conversation.”
Not everyone is running this exercise, but they should be, said Brian Calkin, vice president of operations at The Center for Internet Security.
“Phishing is one of the most effective ways to compromise an organization,” Calkin said. “You literally could have the stoutest security controls in place at your network perimeter and you can phish somebody and just ask for their credentials and they’ll just give them to you.”
With heightened discussion of cybersecurity brought on by news of possible Russian involvement in the 2016 presidential election, more people than ever are aware of how important these issues are, Calkin said, but many are still struggling, especially in smaller government organizations.
Everyone is accustomed to the preaching and the fear-pumping headlines around cybersecurity, Ross said, but with metrics in hand, he can visit department managers with an absolute measurement of the problem and a training plan that he knows will help fix it.
LA’s phishing program was inspired by an anecdote Ross said he heard years ago of CA Technologies dumping USB sticks in the parking lot and waiting to see who plugged them up and plugged them into their work computer.
Though it’s a great starting point for training, Ross said, the thing he likes most about it is the way it gets people talking.
“When we send it out to departments, it is easily the most talked about thing for two weeks,” Ross said. “Every general manager, every department manager comes to me and [talks about it]. I’ve had elected officials come up — it created this really big buzz.”