Phishing has long been the proverbial thorn in an organization’s side. It doesn’t have the glitz and glamor of many other headline-grabbing hacks, such as the latest zero-day or ransomware attack. It’s been around so long it has become old news, pushed aside and nearly forgotten in a world where security professionals, the media and enterprises alike are engaged in a constant battle of extinguishing cyber fires and worrying about the newest malware variant.

 

Government agencies, however, should be particularly concerned about phishing. They make great targets, since they often have considerable amounts of attractive personally identifiable information and, too often, poor cyber defenses.

 

From my experience as a penetration tester and social engineer, it appears that most agencies view phishing awareness training as a necessary evil that is conducted yearly at best with some computer-based exercises. It is almost always an afterthought — something agencies must do, rather than want to do. In most instances, the only time a phishing awareness campaign is run is during the annual compliance test for the  Federal Risk and Authorization Management Program, meaning employees may not have seen a phish since the last time an audit was performed.