In a test whose results might be equally applicable to other agencies, the Postal Service IG found that despite cybersecurity warnings and training, many employees still would fall prey to phishing emails.
Such emails are designed to appear to be from a legitimate entity but in reality are ways to infest systems and/or steal passwords and gain other personal information, a report notes, adding that the Postal Service—despite its primary purpose as a handler of physical communications—handles more than 3.5 million emails a day, delivered to more than 200,000 accounts.
The IG tested security practices by sending emails containing false links to 3,125 employees, 93 percent of whom did not report receiving the email as required by policy. Twenty-five percent clicked on the link, and of those 90 percent did not report that they had done so, also as required.
The report recommended that the Postal Service modify policy to require all employees with network access to take annual information security awareness training. Management said it would pursue that goal with an aim of implementation in March 2016.
However, it noted that since the IG’s test, it has beefed up security awareness training and has done two samples of its own that showed click-through rates of 18 and then 11 percent, a sign of improvement.
