STRATFORD, Ont. — Getting employees to stop and think before clicking on email attachments is the bane of CISOs. Studies show that at least 10 per cent of staff just can’t resist no matter how much awareness training they receive.
But an Ontario city’s IT staff has come up with a solution, which might be called tough love: Temporarily kick those who fail phishing tests off the network.
“We found we always had 150 to 200 people” out of about 2,250 employees who clicked on links during tests, Jim Dolson, manager of hardware and technology at the City of Greater Sudbury, told infosec pros Tuesday at the annual conference of the Municipal Information Systems Association of Ontario here.
So a few years ago it adopted a new policy: Click on the link and your Internet access is blocked. “They get an informational message telling them what they did, but you have to call IT [help desk] to get your Internet back.”
“It’s not a penalty, staff tell them what they did, they re-instate Internet access.”
But the incident isn’t forgotten. “Once they’ve done it three times they’re on a list … and if we learn of a virus in the real world we’re afraid of, all the people who have been listed in that group who we know are never-ending threats are blocked, until the threat is over. It’s the only way we can save everybody.” “It’s simple, it’s not complicated.”
Judging by the chuckles in the audience, a number of listeners were impressed.
And, Dolson said, the strategy works. “It used to be a joke, and they just click on anything. But the don’t any more, because it gets embarrassing when they have to call the help desk.”
Now the number of employees who fall for test phishing email is down to around a dozen.
In an interview Dolson said the size of the problem emerged after the city bought a commercial phishing test solution and began testing employees. Initially, many city staff would fall for even the most obvious test scams – think of messages from alleged princes – and some would give away their logins. There was some early success, with the failure rate dropping from 500 staff to around 200. However, he said, progress stalled. Something had to be done.
Temporarily denying Internet access wasn’t welcomed by some and Dolson had to explain the situation to them or mangers.
“We’ve seen an immediate improvement once people realize there’s a consequence to putting the corporation at risk, and its not just a game anymore.”