Re: Phishing education rollout

[Paul Chauvet <chauvetp () NEWPALTZ EDU>]

Hello Peter, 

We've been doing phishing simulations as part of our security training program for the past couple years. There are a 
few things that we've done here which have helped it be a great success with VERY few complaints. 

    1. We made sure to get the buy-in of our senior leadership (President, Provost and other VPs) before-hand. They 
made sure to attend (and be seen to attend) our in-person training sessions and are also included in the phishing 
simulations. By doing so, they are showing the importance of it to the college and that there is no one 'above' the 
training. 
    2. We make sure to communicate that anyone can fall for these without appropriate training and that users should 
not see it as a personal failing to fall for such a message but treat it as a teachable moment. 
    3. We've used positive reinforcement to thank users who consistently not only do not fall for phishing simulations 
(real or simulated) but also report such messages. We occasionally send messages to these people thanking them for 
their contributions to making the sensitive information of the college safer. 
    4. When an occasional faculty member becomes angry and thinks that we are trying to trick them, we're honest with 
them. Yes - to some extent we are, but the criminals are doing so constantly. We are working not only to protect the 
college's data, but protect individuals personal data as well. 

The push back we've gotten has rarely been from our phishing simulations but from the interactive online training we 
require. There have been complaints that they just don't have enough time, that it is 'beneath' them, or that they 
would never fall for such. Usually a phone call with these people is enough to convince them of the importance of the 
training. Failing that, sending a few targeted spear phishing simulations to them either convinces me that they really 
are competent, or convinces them that perhaps they are not as invulnerable as they think. 

Paul Chauvet 
Information Security Officer 
State University of New York at New Paltz 

Phone: (845) 257-3828 
chauvetp () newpaltz edu 

----- Original Message -----

> To coincide with NCSAM, we are planning on kicking off a 1-year
> phishing education program. We’re partnering with an external
> company to execute the program and as we prep for the engagement,
> one thing we keep hearing of is the risk of angering the user base,
> having faculty go to the dean’s council, administration going to
> their VPs, and just general bad “press”.

> We have support from the top to proceed with the program and will
> communicate to the target user base, but I’m wondering what others
> have done for their rollouts, and just ways to ensure success in
> this area.

> Peter Lundstedt | Information Security Analyst
> Drake Technology Services (DTS) | Drake University