Our objective was to determine if the Postal Service has an effective security posture to protect its Information Technology (IT) infrastructure from external cyberattacks and prevent unauthorized access to restricted data.
In the past two years, 51 percent of organizations have experienced a cybersecurity incident that resulted in a significant disruption to their IT & business processes. With one of the largest IT networks in the world, the Postal Service faces ongoing cyberthreats and challenges that could negatively impact its customers, partners, and employees.
Ninety-one percent of cyberattacks weaponize email through phishing campaigns to gain unauthorized access to an organization’s IT infrastructure. Phishing is when an attacker pretends to be a trusted individual and tricks a victim into opening a malicious email. A security awareness program, including training and simulated phishing campaigns, is critical to supporting a strong security posture.
A way to test an organization’s defenses against potential cyberattacks is through a penetration test, which involves trusted individuals using known attack methods to identify exploitable network vulnerabilities. Vulnerabilities identified through simulated phishing campaigns and penetration tests should be tracked by a vulnerability management program until each vulnerability has been mitigated.
We contracted with a provider to conduct a simulated phishing campaign and an external penetration test targeting the Postal Service’s internet-facing systems from November 30, 2020, to February 9, 2021. We also reviewed the Postal Service’s information security awareness program.
Source: USPS Office of Inspector General