Bloomberg reported on data security studies conducted by the U.S. Department of Homeland Security (DHS).   The article discussed how easy it is to mislead people into taking actions that compromise systems.   The Bloomberg article was widely quoted about the finding that 60% of employees who found a thumbdrive in the parking lot plugged it into their computers.  Bloomberg reported the figure was 90% if the thumbdrive was stamped with a government logo.

DHS has now refuted the story.  DHS reports that the research was not conducted by DHS. DHS said that the actual rate at which employees plugged in the thumbdrives was only 20%,  not 60%.  DHS also reported on two other methods to fool employees into compromising systems — spear phishing and IT Support Imposters.  Finally, DHS reported on the effectiveness of training to combat these schemes.  These are the results of training:

Fooled Before            Fooled After
Training                        Training

Found Thumbdrive                 20%                               2%
Spear phishing                      22%                              21%
IT Imposter                           40%                              43%

Iconix does not find these results surprising.   Training people not to use something they find in the parking  is pretty straightforward.   Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.