CCS deploys phishing simulation to help find security weak spots
Procurement agency invests in security tool
The Crown Commercial Service has invested in a phishing-simulation tool to help its security professionals identify areas for improvement.
Newly published commercial documents reveal that the government procurement agency has signed a deal with specialist firm MetaCompliance. The company will provide software intended to help its information security and assurance (ISA) function “to test security awareness” across the organisation and find “areas that need extra support”.
“The tool should allow the ISA team to craft realistic-looking emails that mimic real lift phishing attempts, for example NHS Covid 19 emails, HMRC tax refunds and missed parcel collections,” the contract said. “The tool should have pre-crafted templates that the ISA team can use or tweak to quickly send simulations The tool should allow ISA to customise target lists, for example people in finance get a different phishing email to those in HR.”
The document added that CCS’s security team will require “detailed reports showing who opened a simulation email, who clicked on the link, and if any credentials were entered – but not reveal the credentials entered”.
“The tool must allow the ISA team to craft ‘from addresses’ to look like legitimate senders and domains… [and] must allow for custom pages to be displayed when a link is clicked,” it said.
Specialising in cyber awareness, MetaCompliance’s MetaPhish product is designed to support security teams in “embedding automated phishing tests into… training programmes, [to] prepare employees to recognise, remediate and report phishing emails and ransomware”, according to the company’s website.
“The anti-phishing software includes an extensive range of customisable and regularly updated phishing templates and multilingual point-of-need learning experiences,” it added. “The reporting dashboard provides an in-depth analysis of specific phishing campaigns and identifies weaknesses within the organisation.”
Although it has only just been published, the company’s contract with CCS came into effect in October 2021. It runs for two years, is worth £8,000, and was awarded via the G-Cloud 12 framework.
Specialist supplier will support in searching – and then attempting to take advantage of – ‘vulnerabilities and exploitable information’
Public sector hosting provider has suspended itself from frameworks after being placed in compulsory liquidation
Contract covers improvements to existing services and supporting migration for millions still claiming legacy benefits
Organisation has also made significant use of contractors