An audit at the Federal Housing Finance Agency found more than one third of employees subjected to a fake phishing attack failed to follow the proper response protocols, along with a number of other vulnerabilities present at the agency’s network perimeter.
According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.
1 in 3 FHFA employees failed phishing test — FCW. “An audit at the FHFA found > 1/3 of employees subjected to a fake phishing attack failed to follow proper response protocols, along with a number of other vulnerabilities present at .. network perimeter.” https://t.co/KNUyJpremJ
— Christina Ayiotis, Esq., CRM, CIPP/E (@christinayiotis) February 12, 2019
Corin Imai, Sr. Security Advisor at Domaintools:
Educating the workforce on what to look for in a phishing email and the proper steps for internal communication if a malicious link is clicked on is paramount to organisations. Additionally, regular audits should be adopted in order to assess their risks and implement the appropriate defensive measures. This is particularly relevant for financial organisation, where the data stored could have serious implications for both individuals and businesses.”
Tim Sadler, CEO and Co-founder at Tessian:
However, the recent audit at the Federal Housing Finance Agency (FHFA) suggests that many workers in the sector remain unaware of the risks of phishing. Although end user phishing email training is an important exercise for increasing awareness and vigilance among employees – particularly for those that manage and control company funds and are more likely to be targeted – malicious actors will always strive to exploit and profit from human error as long as it is vulnerable and unprotected.
The only true way of protecting finance workers and company funds is to apply a machine intelligent solution that comprehensively and automatically prevents attacks by analysing the context and content of inbound emails. This eradicates the issue of human error and vulnerability.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.