Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: David Eilken <david.eilken () DOMAIL MARICOPA EDU>
Date: Mon, 17 Jun 2019 10:29:36 -0700
Thanks All, Great feedback all around. I'll let you know how it all turns out at the next InfoSec conference. Best, Dave On Thu, Jun 13, 2019 at 11:03 AM Eric Sawyer <esawyer () nec edu> wrote:
Dave, This is the 2nd org I've worked for that used KnowBe4 for phishing education. One in health care and now in higher ed. I find it an excellent tool for setting up and tailoring campaigns based on what's in the wild at the moment. For example, back when Equifax broke, I was able to inoculate the users to the scams that popped up. I've done the same for Hurricane Maria relief scams and others. I find that varying the timing of tests, the level of difficulty, and the info on the landing page helps to keep it useful. I agree with the approach others have mentioned. Never punitive. Keep it humorous, fun and educational. And it should only be one tool in the arsenal. Speak to new hires at orientation. Speak at the faculty and staff retreats. Hold a lunch and learn. I'm also having someone from the FBI speak about cyber awareness this fall. IT also has a blog and regular communications that address phishing, vishing, smishing, etc. On the issue of informing users, it shouldn't be your decision alone. I met with senior management to make the case and get their buy-in. In both cases, sr mgmt agreed that users were to be informed that testing would be done, the reasons behind it, the goals of the program. But they were not told when to expect it. In fact management wanted good data to justify the program and to demonstrate its effectiveness. We continue to run campaigns at least every quarter. Eric Sawyer Director of Technical Services New England College
-- [image: Maricopa Community College District Office logo] DAVID EILKEN MA MBA CISSP-ISSMP CISM CRISC C|CISO MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu https://www.maricopa.edu/ O: 480-784-0637 LinkedIn <https://linkedin.com/school/maricopa-community-colleges>| Twitter <https://twitter.com/mcccd>| Facebook <https://www.facebook.com/maricopa.edu>
Current thread:
- Re: Initial Phishing Simulation - Do you tell them first?, (continued)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Weakland (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dave Broucek (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Eric Sawyer (Jun 13)
- Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)