This sounds like a good gig if you can get it. Go on vacation to a Caribbean island, and then punk your employees back home with a fake email about the income tax returns many of them are no doubt stressing over.
That’s what Northrop Grumman’s Michael Papay did a few weeks ago to his company’s 68,000 employees.
The email was no joke. Papay is Northrop’s vice president for information security, and he wanted to remind employees that security starts with them.
Judging by the buzz among Northrop employees, it worked.
Papay revealed the fake spearphishing attack April 3 during a cybersecurity workshop held by the National Institute of Standards and Technology. The email’s subject line told employees that their 2012 tax returns needed to be adjusted. Tests like that are something the company does from time to time.
“It’s everybody’s job to consider the risk to the company when they click on that link, when they open that email,” Papay said.
Employees who reported the email to Papay’s Cybersecurity Operations Center got a “nice thank you email from me that says, ‘Hey, good job – way to pay attention,” he said. Those who fell for the trap got “remedial training,” he said.