CybersecurityClearance of employees who repeatedly fall for phishing scams should be revoked: Experts

Published 22 September 2015

People are one vital component in the 3P security system (the others being process and product). Some of the people who handle sensitive government information also continue to fall for human engineering techniques like phishing. The question is: should the individuals who repeatedly fall for these scams have their security clearance revoked? Absolutely they should, maintains DHS chief security officer (CIS) Paul Beckman.

People are one vital component in the 3P security system (the others being process and product).

Some of the people who handle sensitive government information also continue to fall for human engineering techniques like phishing.

The question is: should the individuals who repeatedly fall for these scams have their security clearance revoked? Absolutely they should, maintains DHS chief security officer (CIS) Paul Beckman.

Phishing is a technique in which an e-mail designed to appear like an official message from a department head or other trusted entity. The e-mail contains a link to a server outside the department, and the recipient of the e-mail clicks on the link and enters his username and password, giving the hacker complete access to that individual’s account.

Beckman maintains that it is astonishing how often even senior managers and other high-ranking officials click on the link. If it was a true attack, rather than a compliance test, such carelessness could result in serious damage (having given the attacker “ownership” of the system).

Network World notes that continuing to allow such actions by employees can easily create breaches, similar to the vulnerabilities recently exploited at the Office of Personnel Management. Surprisingly, many federal agencies continue to use legacy systems, systems consisting of older hardware, software, and operating systems. Such systems were created in a more innocent time when network security was simply added, rather than being at the critical development function at the design level.

No one in the information technology sector is surprised that the agencies’ systems are riddled with vulnerabilities, giving the hacker a choice of flaws to exploit. The problem is that security systems are dependent on people following procedure. Almost every support person is familiar with the terms PEBKAC (Problem Exists Between Keyboard And Chair) and the less widely known, and more cryptic ID10T, created by the person behind the keyboard.