TO: Richard Spires, CIO, Internal Revenue Service FROM: John Soat SUBJECT: Social EngineeringDear Richard:

I know you were just recently promoted to Deputy Commissioner for Operations Support for the IRS, effective next month (congrats, BTW). But I wanted to bring to your attention a report issued last month by the Treasury Department concerning a potential security problem, which, with all the hubbub over your new position, you might have missed. I have some context to bring to bear on that report, based on research data my organization recently generated, that you -- or your replacement -- might find illuminating.

The report is entitled "Employees Continue To Be Susceptible To Social Engineering Attempts That Could Be Used By Hackers." The report details a security test, conducted by the Treasury Department's Inspector General For Tax Administration, which involved 102 IRS employees who were contacted by phone by persons identifying themselves as computer help desk representatives. In order to help resolve a computer problem, each IRS employee was asked his or her name and then asked to change his or her computer password to one recommended by the caller.

Guess how many complied? Sixty percent. And that's not all. Only eight out of the 102 employees contacted a manager to report the call or check to see if it was legit.

Don't feel bad -- you're in the same boat as a lot of U.S. companies. According to InformationWeek Research's 10th annual Global Information Security Survey, a research study conducted earlier this year with more than 3,000 IT and security professionals, a third of U.S. respondents say enforcing security policies is the biggest security challenge they face this year, and 28% cite the need to make users more aware of security concerns.

According to the Inspector General's report, the IRS has nearly 100,000 employees and contractors who have access to tax return information processed on approximately 240 computer systems that contain over 1,500 databases. That's a lot of people -- and data -- to keep track of.

Unfortunately, when it comes to trying to keep employees on their toes, security-wise, it's not a pretty picture. Of 804 respondents who admitted they'd had security breaches in the past year, 21% say they were caused by social engineering -- the type of mind games and verbal razzamatazz that fooled your employees. And there doesn't seem to be a lot that can be done about it. Less than 20% of survey respondents feel that increased training on security technology and procedures will have a significant impact in reducing employee-based security breaches.

That may be something of a self-fulfilling prophecy. Only 40% of our survey takers report having any sort of regular security training (monthly, quarterly, annually) for their employees, while most train them on an ad hoc basis, and 13% never do.

However, the ones who do drill their employees on security issues feel they should get their money's worth: Two-fifths agree that employees should be fined in some way for making mistakes after they've received training.

But I guess that's not an option for you, right? Unless I want to pay more taxes, that is. So, let's think about that for a little while. My tax forms aren't all that interesting anyway.