Information security awareness training is a formal process for educating employees about corporate information technology policies and procedures. Implementing information technology training helps reduce security threat risks. The U.S. Postal Service’s security awareness training program consists of specified topics such as password protection, transmission of sensitive information, and phishing.
Phishing is a security threat used to deceive an email recipient by posing as a legitimate entity. About 156 million phishing emails are sent globally every day. In 2014, phishing email attacks caused about 18 percent of cyber intrusions.
With one of the largest corporate email systems, the Postal Service handles more than 3.5 million emails a day delivered to more than 200,000 email accounts. In November 2014, the Postal Service announced a significant cyber intrusion that appeared to be caused by a phishing email attack. Providing security awareness training that emphasizes security threats, combined with testing employees’ understanding, are key to avoiding or minimizing the impact of phishing emails.
Our objective was to evaluate the effectiveness of the Postal Service’s information security awareness training related to phishing and to determine how employees respond to phishing emails.
What the OIG Found
When we began our review, the Postal Service’s information security awareness training related to phishing was not effective because it did not completely explain how to identify and report phishing emails. However, during our audit, management added instructions for identifying and reporting phishing emails. Therefore, we are not making a recommendation in this area.
In addition, current policy does not require all employees with network access to complete the annual information security awareness training. Although this training is available to all employees with network access, only Chief Information Office employees and new hires are required by policy to complete the annual training.
We performed a limited phishing assessment by sending emails containing false links to 3,125 Postal Service employees. Of the 3,125 employees who received the phishing email, 2,916 (93 percent) did not report the email as required by policy.
The results of our test identified 789 of the 3,125 employees (25 percent) clicked on the link in the phishing email. Of these 789 employees, we determined 710 (90 percent) did not report that they clicked on a phishing email to the Postal Service’s Computer Incident Response Team as required by policy.
Of 3,125 employees in our sample, 2,986 (96 percent) did not complete the annual information security awareness training, based on training records for FY 2014. In addition, 750 of 789 employees in our sample who clicked on the link in the phishing email (95 percent) did not complete the training.
When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats. A recent study revealed that user awareness training effectively changes behavior and reduces security-related risks by up to 70 percent.
What the OIG Recommended
We recommended the Postal Service modify policy to require all employees with network access to take annual information security awareness training.