Login

Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

City auditor's phishing test proves to be effective training tool

Reprints

A fake “phishing” attack by the city auditor's department in Kansas City, Missouri, led to some concrete recommendations regarding how to prevent the problems created by phony emails in the future.

A staff member, a certified information systems auditor, came up with the idea for the fake phishing attack after a training session, said city auditor Douglas Jones.

“We thought it was a really timely audit for us to do with all the breaches going on to see how our staff handled a phishing email,” as well as how the information technology staff responded to the incident, said Mr. Jones.

In March, the auditing department embedded a link to a fake website in an email. Employees visited the website more than 600 times within the first 24 hours after the emails were sent.

About 280 of the 3,115 city employees to whom the email was delivered provided their system login information, including email address, login ID and password to the fake website. “Had our test been an actual phishing email, a hacker would have had about 280 chances to infiltrate the city's information systems” says the report, issued in March.

“Although some employees gave invalid credentials because they suspected the mail was a phishing email, just clicking the website link in the email could expose the city's information systems to risk.”

The report notes employees who provided credentials were from all city departments, including those that handle confidential and sensitive information.

Recommendations made by the auditing department in the report include implementation of an IT security awareness program and mandatory continuous training for all city IT users.

Others include developing a comprehensive cyber security incident response plan. The report notes that though the IT department responded appropriately, it lacks written procedures.

Mr. Jones said the city has six months to respond to the report, which has been well-received.

Read Next

  • White House lends support to cyber legislation

    The Obama administration has issued statements of administration policy on H.R. 1560, the Protecting Cyber Networks Act, and H.R. 1731, the National Cybersecurity Protection Advancement Act.

Related Stories

Most Read in Risk Management

Sign up for Daily Briefing, the free email newsletter from Business Insurance.

About

Advertise

Reprints and Licensing

Resources

. Privacy PolicyTerms of Use

COPYRIGHT © 2024 BUSINESS INSURANCE HOLDINGS

Member, Beacon International Group, Ltd.