Phishing for Users

Somehow I missed this on Monday, but thanks to my buddy Mike at TDI is hit my radar this morning. I agree completely with Mike in his assessment that this is part of security awareness. I can't say that I have done it, but I have given it serious thought. There are a couple of reasons why I haven't done it. First, I haven't had the spare time. Second, I petty much know how the users will fare. Most of them will fail miserably. Many of them already share their passwords freely with one another. They leave their machines unattended while logged on. If I ask for a password they give it w/o reservation. I've often wondered if we shouldn't make everyone that worked with a user change their password when that user leaves. Chances are that he or she knows at least one other persons user name and password.

Security Awareness Training is an area that needs lots and lots of work. Most of it that I have seen and been through is focused on meeting regulatory compliance. It serves no real purpose and teaches nothing of value. At least not in a way that will be retained by the users. That is one reason that I'm hoping that once my company is completely on it's own I will be given the go ahead to do real security awareness training and employ a few "unconventional" methods to teach the lessons.