Re: Initial Phishing Simulation - Do you tell them first?

[Eric Sawyer <esawyer () NEC EDU>]

Dave,

This is the 2nd org I've worked for that used KnowBe4 for phishing education. One in health care and now in higher ed. 
I find it an excellent tool for setting up and tailoring campaigns based on what's in the wild at the moment. For 
example, back when Equifax broke, I was able to inoculate the users to the scams that popped up. I've done the same for 
Hurricane Maria relief scams and others. I find that varying the timing of tests, the level of difficulty, and the info 
on the landing page helps to keep it useful.

I agree with the approach others have mentioned. Never punitive. Keep it humorous, fun and educational. And it should 
only be one tool in the arsenal. Speak to new hires at orientation. Speak at the faculty and staff retreats. Hold a 
lunch and learn. I'm also having someone from the FBI speak about cyber awareness this fall. IT also has a blog and 
regular communications that address phishing, vishing, smishing, etc. 

On the issue of informing users, it shouldn't be your decision alone. I met with senior management to make the case and 
get their buy-in. In both cases, sr mgmt agreed that users were to be informed that testing would be done, the reasons 
behind it, the goals of the program. But they were not told when to expect it. In fact management wanted good data to 
justify the program and to demonstrate its effectiveness. We continue to run campaigns at least every quarter.

Eric Sawyer
Director of Technical Services
New England College