It's the Boss Fooling You -- for Safety's Sake

By Amy Joyce
Washington Post Staff Writer
Sunday, May 20, 2007

James MacDougall, head of computer security for state agencies in South Carolina, has been phishing state employees.

Andre Gould, who has a similar post at Continental Airlines, will do the same to employees at his company this summer.

It shows what lengths companies will go to to keep their computer systems free of hackers, bugs and viruses. Phishing involves sending an e-mail that looks like it's from a trustworthy group but asks for information that could lead to a security breach.

Employees may be outraged that their bosses are trying to dupe them. But Gould and MacDougall say that employees will be retrained for the information age, not fired, and that it's for everyone's security.

"We want to understand what that employee, that liability, represents to the overall company and the IT risk as a whole," Gould said.

At a company like Continental, security is a priority. Just about four years ago, anyone could see that the computers at airport terminals stayed on all day, Gould said. Employees "tended to share and leave our passwords to get access into boarding," he said. He worried anyone could pose as a gate agent, letting people who weren't supposed to be on a plane board it.

Despite the fact that so many of us have been told of the dangers of computer security breaches, many people still invite trouble. In MacDougall's department's past two phishing expeditions, 30 of 100 e-mail recipients took the bait within the first 20 minutes.

"We see who is clicking on things that they don't know where the e-mail came from. Or if they will try to download programs for whatever reason," MacDougall said. "They know better than that, but what we found is a large percentage of people are like cats. Curiosity killed the cat."

Phishing taught him to be more aggressive in educating employees on what is proper, improper and downright dangerous. He didn't tell on the employees who responded to the e-mails with sensitive information, but he did demonstrate to workers what happened. Most who clicked are embarrassed by what they did, he said. They realize that they should have known better.

"You can spend all the money on the technology you want," MacDougall said. "But if the end users are doing dangerous behavior, there is almost no cure for that."

MacDougall said he has had no complaints from employees who feel their privacy has been violated, but some are surprised that their organization is actually phishing them.

But most companies are doing something, according to a 2005 survey by the ePolicy Institute and the American Management Association. For example:

· Seventy-six percent of organizations monitor employee Web site connections.

· Sixty-five percent use software to block connections.

· Thirty-six percent of employers use technology to track content and/or keystrokes.

· Fifty-five percent retain and review e-mail.

"Employers are increasingly taking monitoring and surveillance seriously, primarily because of legitimate legal liabilities," said Nancy Flynn, executive director of the institute. As of 2006, courts had subpoenaed employee e-mail at 24 percent of companies, and 15 percent of employers had gone to court to battle lawsuits specifically triggered by inappropriate e-mail use, according to a survey by the ePolicy Institute and the AMA. "So it's understandable employers are going to do what they can to try to prevent e-mail gaffes from happening or inappropriate messages from leaving or coming in to the system," Flynn said.

The same survey found that 26 percent of bosses had fired employees for e-mail misuse.

And so it stands to reason that a company phishing its own employees may not be the strangest idea out there. However, studies show that a number of workers still think tactics like these are trampling on their rights.

In a new survey by Littler Mendelson, an employment law firm, and the Ponemon Institute, a technology research firm, 38 percent of workers said they thought their privacy would be violated if their employer viewed their e-mail and Internet access over the corporate intranet.

Flynn thinks the number of employees upset about privacy might decrease if they are better educated about e-mail and Internet policy. While employers are doing a "good job of enforcing, they are dropping the ball when it comes to employee education." In fact, 76 percent of companies have an e-mail policy in place, but only 42 percent have actually put employees through formal training, she said. "You can't expect an untrained workforce to comply with a policy."

Or to understand why they are being watched.

That's what MacDougall and Gould try to explain to employees after their phishing trips. Employees who understand what is being monitored will be more careful about what they do on company time, Flynn said. And they will think twice before they click on that e-mail that promises to make the right stock picks or hand over riches from Africa.

"An educated workforce is much more likely to comply with policy," Flynn said. "If you explain that, most employees relax about monitoring."

View all comments that have been posted about this article.

© 2007 The Washington Post Company