James MacDougall, head of computer security for state agencies in South Carolina, has been phishing state employees.

Andre Gould, who has a similar post at Continental Airlines, will do the same to employees at his company this summer.

It shows what lengths companies will go to to keep their computer systems free of hackers, bugs and viruses. Phishing involves sending an e-mail that looks like it’s from a trustworthy group but asks for information that could lead to a security breach.

Employees may be outraged that their bosses are trying to dupe them. But Gould and MacDougall say that employees will be retrained for the information age, not fired, and that it’s for everyone’s security.

“We want to understand what that employee, that liability, represents to the overall company and the IT risk as a whole,” Gould said.

At a company like Continental, security is a priority. Just about four years ago, anyone could see that the computers at airport terminals stayed on all day, Gould said. Employees “tended to share and leave our passwords to get access into boarding,” he said. He worried anyone could pose as a gate agent, letting unauthorized people board a plane.

Taking the bait

Even though many of us have been told of the dangers of computer security breaches, many people still invite trouble. In MacDougall’s department’s past two phishing expeditions, 30 of 100 e-mail recipients took the bait within the first 20 minutes.

“We see who is clicking on things that they don’t know where the e-mail came from. Or if they will try to download programs for whatever reason,” MacDougall said. “They know better than that, but what we found is a large percentage of people are like cats. Curiosity killed the cat.”

Phishing taught him to be more aggressive in educating employees on what is proper, improper and downright dangerous. He didn’t tell on the employees who responded to the e-mails with sensitive information, but he did demonstrate to workers what happened.

“You can spend all the money on the technology you want,” MacDougall said. “But if the end users are doing dangerous behavior, there is almost no cure for that.”

MacDougall said he has had no complaints from employees who feel their privacy has been violated, but some are surprised that their organization is actually phishing them.

Taking precautions

But most companies are doing something, according to a 2005 survey by the ePolicy Institute and the American Management Association. For example:

¢ 76 percent of organizations monitor employee Web site connections.

¢ 65 percent use software to block connections.

¢ 36 percent of employers use technology to track content and/or keystrokes.

¢ 55 percent retain and review e-mail.

“Employers are increasingly taking monitoring and surveillance seriously, primarily because of legitimate legal liabilities,” said Nancy Flynn, executive director of the institute.

As of 2006, courts had subpoenaed employee e-mail at 24 percent of companies, and 15 percent of employers had gone to court to battle lawsuits triggered by inappropriate e-mail use, according to a survey by the ePolicy Institute and the AMA. The same survey found that 26 percent of bosses had fired employees for e-mail misuse.

So it stands to reason that a company phishing its own employees may not be the strangest idea out there. However, studies show that a number of workers still think tactics like these are trampling on their rights.

In a new survey by Littler Mendelson and the Ponemon Institute, 38 percent of workers said they thought their privacy would be violated if their employer viewed their e-mail and Internet access over the corporate intranet.

Flynn thinks the number of employees upset about privacy might decrease if they are better educated about e-mail and Internet policy.