All staff and students received the fake phishing email last week, urging them to change their passwords as soon as possible, due to new guidelines. Many fell for that. '43 per cent of students and 43 per cent of employees opened the mail. Of the students, 25 per cent clicked on the link in the e-mail, among the employees this was 29 per cent,' says Wim Olijslager, project leader at LISA. According to him, the numbers are 'considerably more' than in similar campaigns last year. Back then, 25 per cent (students) and 19 per cent (employees) respectively clicked on links in the fake e-mails sent out by LISA.
'Worse than last year'
There was a lot of preparation in this mail, Olijslager continued. 'We also added several measurement steps - without storing any data, by the way. After you clicked on the link, you could change your password. From that, we could measure that 30 per cent of people actually entered fake data after all. So with them, awareness came a bit later in the process. At the end of the process, there was another screen with a teachable moment, explaining how to recognise a phishing e-mail. Last year, our attempts were a bit more obvious, with fake emails pretending to be a parcel delivery service, for example. Now we opted for a realistic set-up, with an e-mail entirely in the UT's house style.'
Regardless of whether UT staff find the simulation e-mails lame or annoying, they appear and remain necessary, adds security manager Peter Peters. 'In the previous phishing tests, we noticed that the number of people who fell for it was decreasing. But those e-mails were easier to recognise as a phishing attempt. With a phishing email that was really convincingly set up, it now appears that we are actually worse off than when we started this last year.'
'Could happen to anyone'
According to Peters, we need to be wary of victim blaming. 'Don't think you won't fall for it yourself. People are busy, often have something else on their minds. Scammers always try to take advantage of that. You will always have victims. I always quote an example from an organisation in the US. The security officer who himself sent the test e-mail every few months on Friday afternoon fell for it on Monday morning. It can happen to anyone.'
The LISA staff not only wanted to test how many people would fall for the phishing email, but also whether it was reported. 'The goal is always twofold: fewer victims and more people reporting it to CERT (LISA's Computer Emergency Response Team, ed.). A positive aspect of this action was that we received many reports from alert employees. This shows that awareness is growing. The more reports we get, the better we can take technical and non-technical measures,' Peters said.
Apart from the phishing campaign, LISA has had long-standing plans to make some form of cyber security training mandatory. Currently, the training offer on the so-called Security Education Platform is still voluntary. 'With the approval of the Executive Board, cyber security training will become mandatory for certain more vulnerable groups,' says Olijslager. 'Think, for example, of new employees or temporary staff, who are not yet familiar with the habits at the UT. But there are also specific risks for academic staff, for example.'
There may also be an annual mandatory training for all staff. 'In what form we will cast the training offer, we still have to decide in consultation,' says Olijslager. 'What we mainly want is for people to protect both themselves and the organisation. Data is the new gold - and it is worth more and more these days.'