The recent incident at the University of California Santa Cruz (UCSC) involving a misguided phishing test that caused panic among students and staff has raised concerns about the effectiveness and appropriateness of such cybersecurity training programs.
Phishing tests are a common practice in many organizations, designed to educate employees about the risks of divulging sensitive information or clicking on harmful links. Typically, these tests simulate scenarios like urgent messages from the CEO directing recipients to external links or documents. If an employee falls for the phishing attempt, they are informed that they failed the test and provided with additional training on how to identify and report such threats.
However, the phishing test at UCSC took a drastic turn when recipients received an email with the subject line “Emergency Notification: Ebola Virus Case on Campus.” The email claimed that a staff member who had recently traveled to Africa had tested positive for the Ebola virus, causing panic and outrage among the university community. The email, which came from a non-university email address and directed recipients to a phishing training site, was later revealed to be a simulation gone wrong.
Assistant sociology professor Alicia Riley criticized the university’s choice of using a false Ebola claim for the phishing test, calling it irresponsible and in poor taste. The test not only caused unnecessary panic but also inadvertently perpetuated harmful information about South Africa. UCSC’s Chief Information Security Officer, Brian Hall, apologized for the oversight and acknowledged the test’s inappropriate nature.
While phishing tests are intended to educate employees about cybersecurity threats, the use of sensitive and potentially triggering topics like Ebola raises questions about the effectiveness and ethical considerations of such exercises. A phishing test should aim to teach recipients about the value of information and the importance of verifying links and addresses before taking action. Creating a sense of urgency is important, but instilling fear and panic in recipients serves no useful purpose and can have detrimental effects on trust and communication within the organization.
Moving forward, organizations implementing cybersecurity training programs should consider the impact of their phishing tests and ensure that they are designed with a strategic organizational goal in mind, such as protecting data and credentials. Education and awareness are crucial in building a strong cyber defense, but it must be done responsibly and ethically to avoid unintended consequences. The incident at UCSC serves as a cautionary tale about the importance of thoughtful planning and consideration when conducting phishing tests and other cybersecurity training activities.