Life at Work

It's the Boss Fooling You -- for Safety's Sake

By Amy Joyce
Washington Post Staff Writer
Sunday, May 20, 2007

James MacDougall, head of computer security for state agencies in South Carolina, has been phishing state employees.

Andre Gould, who has a similar post at Continental Airlines, will do the same to employees at his company this summer.

It shows what lengths companies will go to to keep their computer systems free of hackers, bugs and viruses. Phishing involves sending an e-mail that looks like it's from a trustworthy group but asks for information that could lead to a security breach.

Employees may be outraged that their bosses are trying to dupe them. But Gould and MacDougall say that employees will be retrained for the information age, not fired, and that it's for everyone's security.

"We want to understand what that employee, that liability, represents to the overall company and the IT risk as a whole," Gould said.

At a company like Continental, security is a priority. Just about four years ago, anyone could see that the computers at airport terminals stayed on all day, Gould said. Employees "tended to share and leave our passwords to get access into boarding," he said. He worried anyone could pose as a gate agent, letting people who weren't supposed to be on a plane board it.

Despite the fact that so many of us have been told of the dangers of computer security breaches, many people still invite trouble. In MacDougall's department's past two phishing expeditions, 30 of 100 e-mail recipients took the bait within the first 20 minutes.

"We see who is clicking on things that they don't know where the e-mail came from. Or if they will try to download programs for whatever reason," MacDougall said. "They know better than that, but what we found is a large percentage of people are like cats. Curiosity killed the cat."

Phishing taught him to be more aggressive in educating employees on what is proper, improper and downright dangerous. He didn't tell on the employees who responded to the e-mails with sensitive information, but he did demonstrate to workers what happened. Most who clicked are embarrassed by what they did, he said. They realize that they should have known better.

"You can spend all the money on the technology you want," MacDougall said. "But if the end users are doing dangerous behavior, there is almost no cure for that."

MacDougall said he has had no complaints from employees who feel their privacy has been violated, but some are surprised that their organization is actually phishing them.

But most companies are doing something, according to a 2005 survey by the ePolicy Institute and the American Management Association. For example:

CONTINUED     1        >

© 2007 The Washington Post Company