Ugh don't remind me. It isn't just PR and marketroid people.
Once upon a time, at a big corporate firm I worked at, we had the "report this email as phishing" button, which we were to use if a suspicious email shows up.
anyway, one day, I started getting emails from the "IT Security department", asking me to click on a link with their updated security policy on it.
- The email headers did not match the domain in the "to" field, nor did it match the name of the sender.
- The email headers showed not the company domain, but some generic sounding one I had never heard of, and the company search engine did not return any results for the domain
- The email was generically written, not even my name in it
- The URL that I was to click on was on yet another third party domain, which was a complete unintelligible alphabet soup of a domain, with long strings of what looked like random characters, ending in ".doc"
Knowing about doc macros, exploits, etc.. there was no way I was going to click on the link while on the corporate windows box, and the entire thing smelled like a phishing email (and who better to impersonate than the IT security staff, a lot of people would listen to them just because they are the "IT security" people).
so I promptly clicked the "report phishing" email, and was on my way. I did this repeatedly over the course of two weeks, until my manager called me into his office.
Apparently the head of the IT security team was livid with rage because their important IT security policy was being flagged as a phishing email (apparently if someone flags an email as "phishing", all the other people get a "this might a phishing email" header on the email, so they don't click on it, because it can be grounds for termination of you knowingly infect the company).
Apparently the random letters are a tracking ID for my account, so they know that (a) I am the one reporting the email, and (b) I haven't read the document yet.
All my points about how it looks like a phishing email were accepted by my manager, then immediately overruled.
I was told that the email is safe, and that I should stop reporting it as phishing, and more to the point that I should click on the link to view the policy.
So I did what I was told, and the first page of the IT policy was about the risks of phishing emails, and what to look out for (which was almost the exact same criteria I reported the email for), without a hint of blasted irony from the "IT security" team.
So now, I have to assume that no matter how dodgy an email (or its attachments) look, I have to trust it if it says "IT security team" on it. Talk about blowing a gaping hole in a companies security policy. Seeing as all future emails I have since received from the security team are still looking like a phishing email, I can see my complaints fell on deaf ears, and there were no repercussions for them.
My point is, we have a long long way to go before "best practices" can be considered in security. Companies still don't get it, if even their security teams are not able to make an email seem legitimate. Instead you get in trouble for "showing up" the security team.
I feel that they are only doing this "IT policy" and phishing email training to "tick a box" on their cybersecurity checklist. They don't actually care about security or preventing phishing. It is a "cover your ass" ploy from legal, nothing more.
As long as attitude like that is prevalent in companies, nothing will get better, and it may well get worse. You can't expect the PR and marketroids to be any better when the culture they work in encourages such behavior.