In early June, the Defense Counterintelligence and Security Agency (DCSA) published an urgent warning about a sophisticated phishing attempt aimed at cleared federal employees and contractors. We reported it here at ClearanceJobs, where we strive to bring readers the latest in security clearance news.
Coincidentally, the same day that DCSA issued their warning, The Wall Street Journal published an unrelated article titled “Why Companies Shouldn’t Try to Catch Employees With Fake Phishing Emails.” The article caught my eye for two reasons. First, I was surprised to learn this is happening and initially skeptical that it was a widespread tactic. However, a quick Google search returned reams of hits about the practice, suggesting that it is very much “a thing.”
Second, the article’s premise – that these gotcha tactics create stress and distrust among employees while doing little to improve organizational defenses – rang true based on my experience with employer-employee relations over a decade as a practicing attorney in the cleared space. The enlightened commenters on reddit certainly had strong feelings about it, including one who shared how his employer sent out a fake bonus award email. Yikes.
The more I started thinking about the phishing email epidemic, the more the DCSA warning and the Wall Street Journal article seemed like two sides of the same coin. Cybersecurity is a massive vulnerability for organizations of all stripes, not the least of which are government agencies and contractors. But with all the resources thrown at the problem, a breach too often still boils down to one employee doing something absentminded or stupid. How do employers mitigate the human factor while not sowing employee animosity?
That’s a difficult conundrum, and the appropriate solutions may depend in part on internal culture, demographics (e.g., average employee age and tech-savvy), and an assessment of organization-specific vulnerabilities. Regardless of the solutions, anecdotal evidence, experience, and common sense all dictate that employers would be wise to take a thoughtful, collaborative approach to the problem that treats employees like people.
For cleared federal employees and contractors, there is an equally important lesson to draw from this: employers are watching carefully and upping the ante to root out perceived internal vulnerabilities – all while external vulnerabilities like real phishing emails are also on the rise.
As we’ve reported here previously in other contexts, mistakes that used to result in human resources actions like written warnings or suspensions are now often viewed as raising broader questions about the employee’s judgement and reliability – and with that, the wisdom of allowing them to retain a security clearance. This can be the equivalent of career capital punishment when one’s future employment prospects depend on the clearance. True, a single inadvertent bite on a phishing email is unlikely to warrant that outcome, but one mistake coupled with a pattern of sloppy or reckless cyber security practices may be another story. And these days, it doesn’t take much for an employer to make that case.
So be careful out there. Contact email senders directly to confirm legitimacy of questionable emails before opening attachments or clicking on links. Avoid sharing personal information on social media that can be used to engineer targeted phishing attempts. And remember that it is a lot easier to justify a cyber mistake made in the course of business than one made in the course of personal pursuits like web-surfing, personal emails, or viewing pornography on the employer’s technology or dime.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.