Domain registrar and web hosting company GoDaddy recently raised eyebrows and the collective ire of Reddit over an email phishing test they conducted on their employees. The company sent an email to employees promising a cash bonus, in the spirit of Christmas, and to ease the economic burdens they face due to the Covid-19 pandemic. The email included a link to a registration form that collected employee information under the guise of confirming employee status and “ensuring everyone gets the bonus”. Employees who completed of the form didn’t receive a cash bonus but a notice of required security refresher training.

News of the test sent the technology reporter pool into a tissy and brought the collective ire of self-righteous Internet forum warriors. Some of the criticism was pointed and legitimate. Poor topic? Yes. Poor timing? Yes. Entrapment? Maybe. GoDaddy should have recognized the sensitive content and poor timing of its delivery. The betrayal felt by employees is understandable.

Ok, but you still clicked the link. You could have compromised the entire network and therefore the integrity of the company! GoDaddy played dirty pool but so do the bad guys. Do you think a Russian crime group dedicated to compromising the computer network of your company ever has moments of self-reflection where they say “Wow, this is just going too far. We need to let this pass”. Do you think they have an open-door policy or a corporate ethics officer? Hell no they don’t. They are criminals. Betraying your emotions and stealing your candy is their job and they will stop and absolutely nothing to ensure success.

Those involved in the debate fall into two camps….security and non-security.

For those of us old enough to remember, the classic comedy show Monty Python's Flying Circus had a series of skits parodying the Spanish Inquisition. The catchphrase “No one expects the Spanish Inquisition” was declared to explain the surprise when the trio of inquisitors suddenly appeared. I always think of this exclamation when I read about a company being pawned by a malicious employee. No one expects the insider!

But the larger question is “why not?”. Why is everyone still so shocked when a business is exploited through the effort of a bad employee? At some point it must be expected; you are going to be attacked from the inside. And shame on you if you fail to take (any) proactive steps to prevent it.

The most recent sensational insider threat story comes from the digital game provider Roblox. Allegedly, an employee was paid to provide access to Roblox records, including the backend customer service panel and player accounts. Joseph Cox has written a full expose for Motherboard (Vice).