Snapchat recently disclosed that it was the victim of an increasingly common attack where someone in the HR department is tricked into providing personal details of employees to someone purporting to be the company’s CEO.
In response, the normal calls for “security awareness training!” and “phishing simulations!” is making the rounds. As I have said, I am in favor of security awareness training and phishing simulation exercises, but I am wary of people or organizations that believe this is a security “control”.
When organizations, information security people and management begin viewing awareness training and phishing simulations as a control, incidents like happened at Snapchat are viewed as a control failure. Management may ask “did this employee not take the training, or was he just incompetent?” I understand that your gut reaction may be to think such a reaction would not happen, but let me assure you that it does. And people get fired for falling for a good phish. Maybe not everywhere. Investment in training is often viewed the same as investment in other controls. When the controls fail, management wants to know who is responsible.
If you ask any phishing education company or read any of their reports, you will notice that there are times of day and days of the week where phishing simulations get more clicks than others, with everything else held constant. The reason is that people are human. Despite the best training in the world, factors like stress, impending deadlines, lack of sleep, time awake, hunger, impending vacations and many other factors will increase or decrease the likelihood of someone falling for a phishing email. Phishing awareness training needs to be considered for what it is: a method to reduce the frequency, in aggregate, of employees falling for phishing attacks.
So, I do think that heads of HR departments everywhere should be having a discussion with their employees on this particular attack. But, when a story like Snapchat makes news, we should be thinking about prevention strategies beyond just awareness training. And that is hard because it involves some difficult trade offs that many organizations don’t want to think about. Not thinking about them, however, is keeping our head in the sand.