City auditor's phishing test proves to be effective training toolReprints
A fake “phishing” attack by the city auditor's department in Kansas City, Missouri, led to some concrete recommendations regarding how to prevent the problems created by phony emails in the future.
A staff member, a certified information systems auditor, came up with the idea for the fake phishing attack after a training session, said city auditor Douglas Jones.
“We thought it was a really timely audit for us to do with all the breaches going on to see how our staff handled a phishing email,” as well as how the information technology staff responded to the incident, said Mr. Jones.
In March, the auditing department embedded a link to a fake website in an email. Employees visited the website more than 600 times within the first 24 hours after the emails were sent.
About 280 of the 3,115 city employees to whom the email was delivered provided their system login information, including email address, login ID and password to the fake website. “Had our test been an actual phishing email, a hacker would have had about 280 chances to infiltrate the city's information systems” says the report, issued in March.
“Although some employees gave invalid credentials because they suspected the mail was a phishing email, just clicking the website link in the email could expose the city's information systems to risk.”
The report notes employees who provided credentials were from all city departments, including those that handle confidential and sensitive information.
Recommendations made by the auditing department in the report include implementation of an IT security awareness program and mandatory continuous training for all city IT users.
Others include developing a comprehensive cyber security incident response plan. The report notes that though the IT department responded appropriately, it lacks written procedures.
Mr. Jones said the city has six months to respond to the report, which has been well-received.