Slashdot Mirror

← Back to Stories (view on slashdot.org)

1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com)

Posted by EditorDavid on from the failing-the-audit dept.

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

3 of 119 comments (clear)

  1. Sounds about right by Anonymous Coward · · Score: 5, Informative

    We have similar results during my companies initial phishing test so I suspect that this result is not uncommon. Sending out training and multiple rounds of phishing test emails (which then require more training if you click) is the ONLY way to bring this number down. The users need to be made as paranoid as possible before clicking ANY links. After a year and a 1/2 we still have a few repeat offenders who still click on the links or enter username/passwords so Multi factor authentication was implemented, but its far far less then we previously had. Posting as AC for obvious reasons.

  2. Re:Headline? by Anonymous Coward · · Score: 2, Informative

    It's a grammatically correct headline. Learn to read: "1 in 3 Michigan Workers Tested" is the noun phrase (containing a participle form of verb used adjectivally) serving as the subject of the verb "Opened," which takes "A Password-Phishing Email", which is the noun phrase in the role of object for the transitive verb.

    If it's to be nitpicked, one might nitpick that it should read "Password-Phishing Emails" or just "Password-Phishing Email" (no "a" which should be omitted in the headline for brevity reasons anyway).

    But just because you can't read doesn't mean other people shouldn't write like educated people.

  3. Re:Bad metrics by Anonymous Coward · · Score: 2, Informative

    2/3 of slashdot users don't read the article summary.