The Public Eye with Eric Chabrow

Anti-Phishing, DMARC , Fraud Management & Cybercrime , Governance & Risk Management

Punishing Those Who Fall for Phishing Schemes

DHS CISO Suggests Revoking Security Clearances of Repeat Offenders
Punishing Those Who Fall for Phishing Schemes
DHS CISO Paul Beckman wonders whether security clearances should be stripped from those who consistently fall for phishing schemes.

Too often, individuals who fail to take the proper steps to secure IT aren't punished for their reckless behavior that leads to a cyberattack. But should those in the trenches, including senior-level personnel, who consistently fail to follow safe cyber hygiene be severely penalized for repeatedly falling for phishing attacks?

See Also: Live Discussion | The Toll of Identity Sprawl in the Complex Enterprise

That's an idea floated - though not necessarily endorsed - by Paul Beckman, CISO at the Department of Homeland Security. Speaking at a security summit in Washington last week, Beckman said DHS might consider establishing a policy that employees and contractors who hold security clearances and repeatedly fail anti-phishing tests would lose those security clearances, according to the publication Defense One.

"There are no repercussions to bad behavior. There's no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent." 

"There are no repercussions to bad behavior," Beckman said. "There's no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent."

DHS sends faux phishing emails to employees to test them. Those who open attachments contained in the messages receive online security training. Still, some employees who have taken the training continue to fail the phishing test, Beckman said.

Beckman indicated he wants to discuss with DHS's chief security officer - who's responsible for overall personnel security - the idea of potentially incorporating employees' susceptibility to phishing in broader evaluations of their fitness to handle sensitive information.

Demonstrating Responsibility

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI (top-secret security clearance) with the federal government," he said. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information."

Beckman's idea comes in the wake of the breach earlier this year of Office of Personnel Management computers, which supposedly exploited a phishing attack to pilfer credentials used to gain access to highly sensitive personal information of more than 21 million individuals, many with security clearances.

Still, Beckman's thinking isn't universally accepted. Robert Bigman, the former longtime CISO at the CIA, characterizes as "ridiculous" the idea of stripping employees who fail phishing tests of their security clearances.

Bigman says many phishing attacks are created in a way that they can easily fool many employees. "If you mishandle classified information on purpose, that's grounds for firing someone," he says. "But if someone makes a mistake like that, I mean, come on."

Small Aspect of Overall Security

Besides, Bigman contends, phishing attacks aren't a major threat to the exposure of the government's top secrets, though the mischief could reveal unclassified but sensitive information. "It's such a small aspect of the overall [security] problem," he says.

Revoking security clearances of an employee with critical knowledge and skills could endanger national security, even if he or she continuously flunks phishing tests. That consequence could prove greater than the damage caused by clicking on an attachment in a phishing email.

But Beckman should be credited with raising the idea of individual responsibility in preventing vulnerabilities, and for starting the discussion on how to handle those who don't take cyber hygiene seriously. It's a conversation worth having. What are your thoughts? Share your comments in the box below.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.