1 in 3 Michigan workers tested opened fake 'phishing' email

March 16, 2018 by David Eggert
Credit: CC0 Public Domain

Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password.

The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer , including that not all workers are required to participate in cybersecurity awareness training. Phishing schemes—in which hackers try to deceive email recipients by posing as legitimate entities—can lead to identity theft and other problems.

Phishing was how Russian-linked players stole the emails of Hillary Clinton's presidential campaign chairman John Podesta.

Michigan's Office of the Auditor General made 14 findings in the audit, including five that are "material"—the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network.

"Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

The Department of Technology, Management and Budget agreed with many of the findings while partially concurring with some. It said the auditors' phishing email was reported to a "security tips" mailbox multiple times and there are other controls that may limit the effectiveness of such attacks.

The agency added that it is formalizing a standard that adopts industry best practices for secure configurations, estimating it will be done in April.

"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said spokesman Caleb Buhs, who said the state has already begun implementing many of the auditors' recommendations. "This audit provides us with a good roadmap for prioritizing future technology infrastructure investments."

The audit, which covered a three-year period between 2014 and 2017, said the state did not fully establish and implement an effective process for managing updates to network devices' operating systems. Ten high- or medium-severity vulnerabilities were identified.

Overall, Auditor General Doug Ringler deemed state's efforts to design, administer and monitor a secure IT network as "moderately sufficient."

A Democratic critic of Gov. Rick Snyder's administration, Senate Minority Leader Jim Ananich of Flint, said "there is just no excuse for why Michigan's top officials have failed to protect our state from hackers."

Explore further: When fee-pressured audit offices focus on non-audit services, financial statements suffer

More information: Audit: bit.ly/2IwhmAe

Related Stories

Audit: Air traffic systems vulnerable to attack

May 6, 2009

(AP) -- The nation's air traffic control systems are vulnerable to cyber attacks, and support systems have been breached in recent months allowing hackers access to personnel records and network servers, according to a new ...

To fend off hackers, local governments get help from states

December 12, 2017

The city of Mill Creek, Wash., has only 55 full-time employees and just one of them—James Busch—is responsible for handling information technology and cybersecurity. He worries about the growing sophistication of hackers ...

Recommended for you

Team breaks world record for fast, accurate AI training

November 7, 2018

Researchers at Hong Kong Baptist University (HKBU) have partnered with a team from Tencent Machine Learning to create a new technique for training artificial intelligence (AI) machines faster than ever before while maintaining ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.