There's an old saying that you can catch more flies with honey than with vinegar.
And this is true in cyberspace as well...
Like a honey pot that attracts cyber criminals, organizations are now hiring "ethical hackers" to teach employees a lesson, before the bad guys teach them the hard way.
The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.
The point of this is not to make people feel stupid when they fall for the hack--although they probably do--but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.
One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.
Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.
While I think it is good to play devil's advocate and teach employees by letting them make mistakes in a safe way--I do not think that the people should be named or reported as to who feel for it--it should be a private learning experience, not a shameful one!
The best part of the article was the ending from a cyber security expert at BT Group who said that rather than "waste" money on awareness training, we should be building systems that don't let users choose weak passwords and doesn't care what links they click--they are protected!
I think this is a really interesting notion--not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace--where every misstep or mistake doesn't cost you dearly in terms of compromised systems and privacy. ;-)
(Source Photo: Dannielle Blumenthal)