As pandemic-related scams rise, experts say companies should tread carefully with cybersecurity exercises like one that has prompted anger in Britain.
LONDON — The email from the payroll department of a British railroad company seemed to echo a refrain from many corporate offices during a difficult year, offering employees a link to a “one-off payment” to thank them for working under the strain of the pandemic.
But workers for West Midlands Trains who followed the link in April and entered login details discovered that there was no bonus after all, only a notice that the email was a security test, measuring recipients’ susceptibility to messages faked by outside hackers. Unamused and angered, a union for the company’s employees has called the test a “cynical and shocking stunt” and called for an apology.
The British railroad operator is not the only company to have angered employees with cybersecurity tests promising financial payoffs during an economically stressful time. But with the emotional and financial strain of the pandemic fueling cybercrime, the fallout has played into a conversation about how far is too far for phishing tests.
Online scams are on the rise, and the consequences of a cyberattack can be costly and crippling for a business. So it makes sense that companies want workers to be on the lookout for so-called phishing emails or text messages, which imitate trusted senders to seek financial, confidential or personal information. But cybersecurity experts say that companies should tread carefully if they test employees, because such phony offers could not only be psychologically damaging but actually detract from a company’s security.
A union representative for the workers said he was astonished at what he saw as the cruelty of the email.
“It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus,” said Manuel Cortes, general secretary of TSSA, a labor union that represents workers at the company, in a statement. He said that many staff members at the company had caught the coronavirus and that one person had died after contracting Covid.
West Midlands Trains defended the exercise an “important test” that had been designed to mimic “language used by real cybercriminals but without the damaging consequences.”
“We take cybersecurity very seriously, providing regular training on the subject and we run exercises to test our resilience,” a spokesman for the company said in an emailed statement. He added that the email had been sent to about 420 staff members in management roles.
Phishing emails and texts that try to entice the recipient into downloading malware, visiting shady websites or sharing sensitive information from credit card details to intellectual property have proliferated during the pandemic. And businesses report that it has been harder to administer cybersecurity measures during the past year.
A report released this week by Britain’s National Cyber Security Centre showed a 15-fold increase in the number of scams removed from the internet. It said the agency had taken more fraudulent sites offline in the past year than in the previous three years combined.
In the first quarter of this year, according to government statistics, almost 40 percent of businesses in Britain reported digital breaches or attacks, with an average cost for medium to large firms of around 13,400 pounds, or $18,800. And the cost of a serious breach can be far more daunting: One study conducted last year by the Ponemon Institute for IBM Security, which interviewed 524 organizations across 17 countries, found that data breaches in 2020 cost an organization on average $3.86 million.
Phishing has also been used by scammers attempting to swindle grandparents out of their savings, by intelligence agencies to gain information and diplomatic leverage, and by IT departments to see if employees are paying attention.
“A sufficiently well-designed phishing email will get clicked on 100 percent of the time,” said Steven J. Murdoch, a professor of security engineering at University College London, adding that all companies were vulnerable to phishing.
But testing employees with fake emails about bonuses was “entrapment,” he said, adding that it risked harming the relationship between companies and employees, which was crucial for security. Some attacks, as an example, come from disgruntled employees, he said. “People responsible for fire safety don’t set fire to the building,” he said of the tests.
Rather than discouraging employees from clicking on any link, he said, more effective strategies could include blocking phishing emails, installing software to protect against ransomware, and addressing use of passwords.
Alienating employees also meant they could be less likely to report suspicious activity to their company departments, a crucial method of stopping attacks from becoming more serious, said Jessica Barker, a co-founder of Cygenta, a cybersecurity company.
“If people report as soon as they suspect something, that can go a huge extent to mitigating any attack,” Dr. Barker said. “The problem with this kind of simulation is that it can put people off reporting.”
Cybersecurity ultimately needed to consider the ethics, psychological safety and culture of a workplace, Dr. Barker said. “The focus shouldn’t be on trying to trick people or taking an ‘us versus them’ approach, the focus should be: How can we help our work force?”
Phishing simulations had their place, she said. “But something as emotive as financial bonus at a time of financial uncertainty is just not something that’s going to be well received.”
That was certainly true for the Tribune Publishing Company, which owns The Baltimore Sun and The Chicago Tribune. It apologized after running a similar cybersecurity test last year promising employees a fake bonus of up to $10,000. Another test sent by the web-hosting provider GoDaddy in December asked employees to fill out personal information to claim a $650 holiday bonus. It also had to say sorry.
Companies using such tests may have to be prepared for demands such as those from the TSSA union, which has said there was one way for West Midlands Trains make amends for the hoax: to pay a bonus to every employee after all “to right a wrong which has needlessly caused so much hurt.”
"now" - Google News
May 13, 2021 at 06:13PM
https://ift.tt/3yaupRm
A Phishing Test Promised Workers a Covid Bonus. Now They Want an Apology. - The New York Times
"now" - Google News
https://ift.tt/35sfxPY
Bagikan Berita Ini
0 Response to "A Phishing Test Promised Workers a Covid Bonus. Now They Want an Apology. - The New York Times"
Post a Comment