[acdha]

Alternatively, GoDaddy has failed to secure their work environment and are blaming the workers instead.

Think about why we care about phishing: it’s mostly about people giving credentials to an attacker. Drop $20/person on some FIDO tokens and the risk factor drops considerably. Repeat for the risk of malware - if someone in accounting can run arbitrary software, they aren’t the root cause.

[kenjackson]

It’s defense in depth. Just because you have one line of defense doesn’t mean you shouldn’t have another. The way defense in depth typically works is assuming the previous lines of defense have been thwarted. Even if you can’t foresee that happening, assume it did.

And it sounds like these employees were trained on this.

The thing I don’t like is the XMas bonus aspect. But the general idea doesn’t seem unreasonable.

[acdha]

How much depth is it really adding, though? Harassing non-specialists seems to have relatively limited value – plenty of security staff get phished – and there is a risk of making people think of the security group as adversaries.

I would certainly agree that the exercise could have some value but I think it would be wise to weigh that against the costs and especially to think about how you can make it supportive rather than punitive. In particular, most people are not only not given good tools for making untrained security decisions and many of them will be told to violate that advice regularly. For example, what percentage of vendors, outsourced HR, etc. will tell people to open unexpected attachments or click on links which are difficult to distinguish from phishing? SolarWinds was far from the only company training their customers to ignore security errors on installers, too.

[at-fates-hands]

> Alternatively, GoDaddy has failed to secure their work environment and are blaming the workers instead.

This.

I've worked at careless companies who don't deal with their security very well.

I now work at a large health care company who takes security incredibly serious. All the USB ports are disabled. Nobody has admin rights on their laptops. You can't install any software unless you download and install from their internal app store which only allows apps that have passed a rigorous gambit of testing beforehand. And you have to put in a request for the software in the first place. It took me three months to get Photoshop approved because I was designated as a developer and not a web designer. It went through three escalations and took several debates between senior managers who finally approved my request.

We don't have "phishing tests". If something pops up on the security team's radar, then they push it out as an email alert company wide. That's about it. Maybe if GoDaddy put as much effort into securing their network as they do putting together these stupid tests, they probably wouldn't need them to prove that yes, humans are fallible.

[btilly]

I'm sorry, but your 3 months to get Photoshop approved demonstrates why so many wouldn't want to work in such locked down environments.

And what was the cost to the company in having those debates between senior managers? Just to get a standard tool that they already approved onto a developer machine? Can you imagine the overhead that they are causing themselves?